ScyllaDB Docs ScyllaDB Open Source ScyllaDB for Administrators Security Generating a self-signed Certificate Chain Using openssl
For local communication, self-signed certificates and a private trust store are usually sufficient for securing communication. Indeed, several nodes can share the same certificate, as long as we ensure that our trust configuration is not tampered with.
To build a self-signed certificate chain, begin by creating a certificate configuration file like this:
[ req ]default_bits = 4096default_keyfile = <hostname>.keydistinguished_name = req_distinguished_namereq_extensions = v3_reqprompt = no[ req_distinguished_name ]C = <country code>ST = <state>L = <locality/city>O = <domain>OU = <organization, usually domain>CN= <hostname>.<domain>emailAddress = <email>[v3_ca]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuer:alwaysbasicConstraints = CA:true[v3_req]# Extensions to add to a certificate requestbasicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
Substitute the values in <> with whichever suits your organization. For this example, let’s call our host db, and our domain foo.bar, and create a file called db.cfg:
[ req ]default_bits = 4096default_keyfile = db.keydistinguished_name = req_distinguished_namereq_extensions = v3_reqprompt = no[ req_distinguished_name ]C = SEST = StockholmL = StockholmO = foo.barOU = foo.barCN= db.foo.baremailAddress = [email protected][v3_ca]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuer:alwaysbasicConstraints = CA:true[v3_req]# Extensions to add to a certificate requestbasicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
Note
Please note that each new signed certificate should have different “CN=” in “req_distinguished_name” section. Otherwise it won’t pass openssl verify check.
Then, begin by generating a self-signing certificate authority key:
openssl genrsa -out cadb.key 4096
And using this, a certificate signing authority:
openssl req -x509 -new -nodes -key cadb.key -days 3650 -config db.cfg -out cadb.pem
Now, generate a private key for our certificate:
openssl genrsa -out db.key 4096
And from this, a signing request:
openssl req -new -key db.key -out db.csr -config db.cfg
Then we can finally create and sign our certificate:
openssl x509 -req -in db.csr -CA cadb.pem -CAkey cadb.key -CAcreateserial -out db.crt -days 365 -sha256
As a result, we should now have:
db.key- PEM format key that will be used by the database node.db.crt- PEM format certificate for the db.key signed by the cadb.pem and used by database node.cadb.pem- PEM format signing identity that can be used as a trust store. Use it to sign client certificates that will connect to the database nodes.
Place the files in a directory of your choice and make sure you set permissions so your ScyllaDB instance can read them. Then update the server/client configuration to reference them.
When restarting ScyllaDB with the new configuration, you should see the following messages in the log:
When node-to-node encryption is active:
Starting Encrypted Messaging Service on SSL port 7001When client to node encryption is active:
Enabling encrypted CQL connections between client and serverSee Also¶
Copyright
© 2016, The Apache Software Foundation.
Apache®, Apache Cassandra®, Cassandra®, the Apache feather logo and the Apache Cassandra® Eye logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. No endorsem*nt by The Apache Software Foundation is implied by the use of these marks.
Was this page helpful?
