Cassandra security using openssl (not keytool)

Question

I saw Cassandra documentation. http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html

I found this line "SSL certificates must be generated using keytool".

But I have my self-signed CA (easy-rsa openSSL), that is giving me certificates and keys. I want to use these certificates and keys for Cassandra client to node security and then I have to communicate using cqlsh. For this, requirement is keystore, certificate and keys. I tried but I am not able to achieve this.

score 2 · Answer 1 · edited Aug 08 '16 at 09:17

Looks Cassandra uses "java native" storage database format (keystore) to keep cryptographic keys, certificates and certificate keys. It's quite easy to manage this database with tool you mentioned above. There is comprehensive documentation at Oracle docs page https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html

For your particular case, you need to follow these steps.

1) Import your RootCA cert to trusted authorities.

keytool -import -trustcacerts -alias rootCA -file rootCA.crt -keystore keystore.jks

2) Import your keypair to storage database. Easiest way with keytool is convert to pkcs12 format and then import to keystore

openssl pkcs12 -export -in mycert.pem -inkey mykey.pem > mykey.p12

Then convert this store into a Java key store:

keytool -importkeystore -srcstoretype pkcs12 -srckeystore mykey.p12 -destkeystore mykeystore.jks

I also can suggest nice GUI keystore tool (written in java) http://www.keystore-explorer.org/ if you like manage it graphically

Note that default keystore password is set to 'changeit'. You are encouraged to change it.

keystore is the native file format for storing certificates and keys in java. — Baptiste Mille-Mathias, Aug 08 '16 at 09:01
The GUI is the best part. Thanks for the clear explaination. — devansvd, Nov 11 '19 at 09:50

Cassandra security using openssl (not keytool)

1 Answers1