Re: Re : Generic keystore when enabling SSL

On Thu, Nov 17, 2016 at 10:52 AM, sai krishnam raju potturi wrote: > I would suggest you create your own Certificate Authority, and create a > generic keystore and trustore. FWIW, that's what we (WMF) do: https://github.com/eevans/cassandra-ca-manager -- Eric Evans

Re: Re : Generic keystore when enabling SSL

hi Jacob; I would suggest you create your own Certificate Authority, and create a generic keystore and trustore. Cassandra by default does not implement HostName Verification in it's code. All it does is to check if it's peer certificate is signed by the trusted authority ( the root CA

Re: Re : Generic keystore when enabling SSL

Hi Jacob, there is no problem to use the same certificate (whether issued by some authority or self signed) on all nodes until it's present in truststore. CN doesn't matter in this case, it can be any string you want. Would this impact client-to-node encryption Nu, but clients should

Re: Re : Generic keystore when enabling SSL

I am interested if anyone has taken this approach to share the same keystore across all the nodes with the 3rd party root/intermediate CA existing only in the truststore. If so, please share your experience and lessons learned. Would this impact client-to-node encryption as the certificates used

Re: Re : Generic keystore when enabling SSL

hi Evans; rather than having one individual certificate for every node, we are looking at getting one Comodo wild-card certificate, and importing that into the keystore. along with the intermediate CA provided by Comodo. As far as the trust-store is concerned, we are looking at importing the

Re: Re : Generic keystore when enabling SSL

On Tue, Sep 20, 2016 at 12:57 PM, sai krishnam raju potturi wrote: > Due to the security policies in our company, we were asked to use 3rd party > signed certs. Since we'll require to manage 100's of individual certs, we > wanted to know if there is a work around with a

Re: Re : Generic keystore when enabling SSL

thanks Robert; we followed the instructions mentioned in http://thelastpickle.com/blog/2015/09/30/hardening-cassandra -step-by-step-part-1-server-to-server.html. It worked great. Due to the security policies in our company, we were asked to use 3rd party signed certs. Since we'll

Re: Re : Generic keystore when enabling SSL

Hi Sai, I would recommend following the approach described in this article via The Last Pickle: http://thelastpickle.com/blog/2015/09/30/hardening-cassandra -step-by-step-part-1-server-to-server.html It does a really good job of laying out a strategy for internode encryption by rolling your own

Re : Generic keystore when enabling SSL

hi; has anybody enabled SSL using a generic keystore for node-to-node encryption. We're using 3rd party signed certificates, and want to avoid the hassle of managing 100's of certificates. thanks Sai