On Thu, Nov 17, 2016 at 10:52 AM, sai krishnam raju potturi
wrote:
> I would suggest you create your own Certificate Authority, and create a
> generic keystore and trustore.
FWIW, that's what we (WMF) do: https://github.com/eevans/cassandra-ca-manager
--
Eric Evans
hi Jacob;
I would suggest you create your own Certificate Authority, and create
a generic keystore and trustore.
Cassandra by default does not implement HostName Verification in it's
code. All it does is to check if it's peer certificate is signed by the
trusted authority ( the root CA
Hi Jacob,
there is no problem to use the same certificate (whether issued by some
authority or self signed) on all nodes until it's present in truststore. CN
doesn't matter in this case, it can be any string you want.
Would this impact client-to-node encryption
Nu, but clients should
I am interested if anyone has taken this approach to share the same
keystore across all the nodes with the 3rd party root/intermediate CA
existing only in the truststore. If so, please share your experience and
lessons learned. Would this impact client-to-node encryption as the
certificates used
hi Evans;
rather than having one individual certificate for every node, we are
looking at getting one Comodo wild-card certificate, and importing that
into the keystore. along with the intermediate CA provided by Comodo. As
far as the trust-store is concerned, we are looking at importing the
On Tue, Sep 20, 2016 at 12:57 PM, sai krishnam raju potturi
wrote:
> Due to the security policies in our company, we were asked to use 3rd party
> signed certs. Since we'll require to manage 100's of individual certs, we
> wanted to know if there is a work around with a
thanks Robert; we followed the instructions mentioned in
http://thelastpickle.com/blog/2015/09/30/hardening-cassandra
-step-by-step-part-1-server-to-server.html. It worked great.
Due to the security policies in our company, we were asked to
use 3rd party signed certs. Since we'll
Hi Sai,
I would recommend following the approach described in this article via The
Last Pickle: http://thelastpickle.com/blog/2015/09/30/hardening-cassandra
-step-by-step-part-1-server-to-server.html
It does a really good job of laying out a strategy for internode encryption
by rolling your own
hi;
has anybody enabled SSL using a generic keystore for node-to-node
encryption. We're using 3rd party signed certificates, and want to avoid
the hassle of managing 100's of certificates.
thanks
Sai