DataStax Enterprise 3.0 Documentation

Preparing server certificates

This topic provides information about generating SSL certificates for client-to-node encryption or node-to-node encryption. If you generate the certificates for one type of encryption, you do not need to generate them again for the other: the same certificates are used for both.

All nodes must have all the relevant SSL certificates on all nodes. A keystore contains private keys. The truststore contains SSL certificates for each node and doesn't require signing by a trusted and recognized public certification authority.

To prepare server certificates:

  1. Generate the private and public key pair for the nodes of the cluster.

    A prompt for the new keystore and key password appears.

  2. Leave key password the same as the keystore password.

  3. Repeat steps 1 and 2 on each node using a different alias for each one.

    keytool -genkey -alias <dse_node0> -keystore .keystore
    
  4. Export the public part of the certificate to a separate file and copy these certificates to all other nodes.

    keytool -export -alias dse -file dsenode0.cer -keystore .keystore
    
  5. Add the certificate of each node to the truststore of each node, so nodes can verify the identity of other nodes.

    A prompt for setting a password for the newly created truststore appears.

    keytool -import -v -trustcacerts -alias <dse_node0> -file <dse_node0>.cer -keystore .truststore
    keytool -import -v -trustcacerts -alias <dse_node1> -file <dse_node1>.cer -keystore .truststore
    . . .
    keytool -import -v -trustcacerts -alias <dsenodeN> -file <dse_nodeN>.cer -keystore .truststore
    
  6. Distribute the .keystore and .truststore files to all DSE nodes.

  7. Make sure .keystore is readable only to the DSE daemon and not by any user of the system.