Apache Cassandra™ 2.0

Using cqlsh with SSL encryption

Using a cqlshrc file means you don't have to override the SSL_CERTFILE environmental variables every time.

To run cqlsh with SSL encryption, you must:

  1. Create a .cassandra/cqlshrc file in your home or client program directory. Sample files are available in the following directories:
    • Package installations: /etc/cassandra
    • Tarball installations: install_location/conf
  2. Start cqlsh with the --ssl option.
    $ cqlsh --ssh ## Package installations
    $ install_location/bin/cqlsh -ssh ## Tarball installations


username = fred
password = !!bang!!$

hostname =
port = 9042

certfile = ~/keys/cassandra.cert
validate = true ## Optional, true by default
userkey = ~/key.pem ## Provide when require_client_auth=true
usercert = ~/cert.pem ## Provide when require_client_auth=true

[certfiles]  ## Optional section, overrides the default certfile in the [ssl] section = ~/keys/cassandra01.cert = ~/keys/cassandra02.cert

When validate is enabled, the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Related topics

The cassandra.yaml configuration file