Last active
August 28, 2019 20:13
-
-
Save mpenick/01e4b3b3f5eef13fdb7e192878c78bc5 to your computer and use it in GitHub Desktop.
A basic script for setting up SSL on Casasndra or DSE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # gen_rootCa_cert.conf | |
| [ req ] | |
| distinguished_name = req_distinguished_name | |
| prompt = no | |
| output_password = password | |
| default_bits = 2048 | |
| [ req_distinguished_name ] | |
| C = US | |
| O = Datastax | |
| OU = Drivers | |
| CN = CA |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| IPs=$(echo $1 | sed "s/,/ /g") | |
| # Driver configuration: | |
| # | |
| # "truststore.jks" or "ca.crt" are used by the drivers to validate the trust | |
| # chain of the server-side certificates. For instance the java-driver could | |
| # use the following parameters: | |
| # -Djavax.net.ssl.trustStore=truststore.jks -Djavax.net.ssl.trustStorePassword=password | |
| if [ ! -e ca.key ] || [ ! -e ca.crt ]; then | |
| echo "Generating CA cert/key..." | |
| openssl req -config ca.conf -new -x509 -nodes -subj /CN=CA/OU=Drivers/O=DataStax/C=US/ -keyout ca.key -out ca.crt -days 365 | |
| fi | |
| rm -f *.jks | |
| keytool -importcert -keystore truststore.jks -alias ca -file ca.crt -noprompt -keypass password -storepass password | |
| rm -f *.csr | |
| rm -f *.crt_signed | |
| for IP in ${IPs[@]}; do | |
| echo "Generating keystore for $IP..." | |
| keytool -genkeypair -keyalg RSA -alias $IP -keystore $IP.jks -storepass password -keypass password -validity 365 -keysize 2048 -dname "CN=$IP, OU=Drivers, O=DataStax, C=US" | |
| keytool -certreq -keystore $IP.jks -alias $IP -file $IP.csr -keypass password -storepass password -dname "CN=$IP, OU=Drivers, O=DataStax, C=US" | |
| openssl x509 -req -CA ca.crt -CAkey ca.key -in $IP.csr -out $IP.crt_signed -days 365 -CAcreateserial -passin pass:password | |
| keytool -importcert -keystore $IP.jks -alias ca -file ca.crt -noprompt -keypass password -storepass password | |
| keytool -importcert -keystore $IP.jks -alias $IP -file $IP.crt_signed -noprompt -keypass password -storepass password | |
| done | |
| # Server configuration: | |
| # The following needs to be added to "cassandra.yaml": | |
| # | |
| #client_encryption_options: | |
| # enabled: true | |
| # optional: false | |
| # keystore: /path/to/keystore.jks | |
| # keystore_password: password | |
| # | |
| # require_client_auth: false | |
| # truststore: /path/to/truststore.jks | |
| # truststore_password: password | |
| # protocol: TLS | |
| # algorithm: SunX509 | |
| # store_type: JKS | |
| # cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] | |
| for IP in ${IPs[@]}; do | |
| echo "Deploying key to $IP..." | |
| scp -i id_rsa truststore.jks ec2-user@$IP:~/truststore.jks | |
| scp -i id_rsa $IP.jks ec2-user@$IP:~/keystore.jks | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment