ssl certificate hot reloading test - cassandra 4.1

Mon, 15 Apr 2024 09:11:37 -0700 

Dear Community,

I hope this email finds you well. I am currently testing SSL certificate
hot reloading on a Cassandra cluster running version 4.1 and encountered a
situation that requires your expertise.

Here's a summary of the process and issue:

   1.

   Reloading Process: We reloaded certificates signed by our in-house
   certificate authority into the cluster, which was initially running with
   self-signed certificates. The reload was done node by node.
   2.

   Truststore and Keystore: The truststore and keystore passwords are the
   same across the cluster.
   3.

   Unexpected Behavior: Despite the different truststore configurations for
   the self-signed and new CA certificates, we observed no breakdown in
   server-to-server communication during the reload. We did not upload the *new
   CA cert* into the *old truststore.*We anticipated interruptions due to
   the differing truststore configurations but did not encounter any.
   4.

   Post-Reload Changes: After reloading, we updated the cqlshrc file with
   the new CA certificate and key to connect to cqlsh.

server_encryption_options:

    internode_encryption: all

    keystore: ~/conf/server-keystore.jks

    keystore_password: XXXX

    truststore: ~/conf/server-truststore.jks

    truststore_password: XXXX

    protocol: TLS

    algorithm: SunX509

    store_type: JKS

    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]

    require_client_auth: true

client_encryption_options:

    enabled: true

    keystore: ~/conf/server-keystore.jks

    keystore_password: XXXX

    require_client_auth: true

    truststore: ~/conf/server-truststore.jks

    truststore_password: XXXX

    protocol: TLS

    algorithm: SunX509

    store_type: JKS

    cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]

Given this situation, I have the following questions:

   - Could there be a reason for the continuity of server-to-server
   communication despite the different truststores?
   - Is there a possibility that the old truststore remains cached even
   after reloading the certificates on a node?
   - Have others encountered similar issues, and if so, what were your
   solutions?

Any insights or suggestions would be greatly appreciated. Please let me
know if further information is needed.

Thank you

Best regards,

Avinash

Reply via email to