Apache Cassandra™ 1.2

Preparing server certificates

Generate SSL certificates for client-to-node encryption or node-to-node encryption.

If you generate the certificates for one type of encryption, you do not need to generate them again for the other: the same certificates are used for both.

All nodes must have all the relevant SSL certificates on all nodes. A keystore contains private keys. The truststore contains SSL certificates for each node and doesn't require signing by a trusted and recognized public certification authority.

Procedure

  1. Generate the private and public key pair for the nodes of the cluster leaving the key password the same as the keystore password:
    keytool -genkey -alias <cassandra_node0> -keyalg RSA -keystore .keystore
    
  2. Repeat the previous step on each node using a different alias for each one.
  3. Export the public part of the certificate to a separate file and copy these certificates to all other nodes.
    keytool -export -alias cassandra -file cassandranode0.cer -keystore .keystore
    
  4. Add the certificate of each node to the truststore of each node, so nodes can verify the identity of other nodes.
    keytool -import -v -trustcacerts -alias <cassandra_node0> -file <cassandra_node0>.cer -keystore .truststore
    keytool -import -v -trustcacerts -alias <cassandra_node1> -file <cassandra_node1>.cer -keystore .truststore
    . . .
    
  5. Make sure .keystore is readable only to the Cassandra daemon and not by any user of the system.