Preparing server certificates¶

This topic provides information about generating SSL certificates for client-to-node encryption or node-to-node encryption. If you generate the certificates for one type of encryption, you do not need to generate them again for the other: the same certificates are used for both.

All nodes must have all the relevant SSL certificates on all nodes. A keystore contains private keys. The truststore contains SSL certificates for each node and doesn't require signing by a trusted and recognized public certification authority.

To prepare server certificates:

1. Generate the private and public key pair for the nodes of the cluster.

   A prompt for the new keystore and key password appears.

2. Leave key password the same as the keystore password.

3. Repeat steps 1 and 2 on each node using a different alias for each one.

   keytool -genkey -alias <cassandra_node0> -keystore .keystore
   

4. Export the public part of the certificate to a separate file and copy these certificates to all other nodes.

   keytool -export -alias cassandra -file cassandranode0.cer -keystore .keystore
   

5. Add the certificate of each node to the truststore of each node, so nodes can verify the identity of other nodes.

   A prompt for setting a password for the newly created truststore appears.

   keytool -import -v -trustcacerts -alias <cassandra_node0> -file <cassandra_node0>.cer -keystore .truststore
   keytool -import -v -trustcacerts -alias <cassandra_node1> -file <cassandra_node1>.cer -keystore .truststore
   . . .
   

6. Distribute the .keystore and .truststore files to all Cassandra nodes.

7. Make sure .keystore is readable only to the Cassandra daemon and not by any user of the system.

keytool -import -v -trustcacerts -alias <username> -file <certificate file> -keystore .truststore