Hi Jacob,
there is no problem to use the same certificate (whether issued by some authority or self signed) on all nodes until it's present in truststore. CN doesn't matter in this case, it can be any string you want. Would this impact client-to-node encryption Nu, but clients should either add nodes certificate to their truststore or disable validation (each Cassandra driver does this in its own way). Best regards, Vladimir Yudovin, Winguzone - Hosted Cloud Cassandra Launch your cluster in minutes. ---- On Thu, 27 Oct 2016 16:45:48 -0400Jacob Shadix <jacobsha...@gmail.com> wrote ---- I am interested if anyone has taken this approach to share the same keystore across all the nodes with the 3rd party root/intermediate CA existing only in the truststore. If so, please share your experience and lessons learned. Would this impact client-to-node encryption as the certificates used in internode would not have the hostnames represented in CN? -- Jacob Shadix On Wed, Sep 21, 2016 at 11:40 AM, sai krishnam raju potturi <pskraj...@gmail.com> wrote: hi Evans; rather than having one individual certificate for every node, we are looking at getting one Comodo wild-card certificate, and importing that into the keystore. along with the intermediate CA provided by Comodo. As far as the trust-store is concerned, we are looking at importing the intermediate CA provided along with the signed wild-card cert by Comodo. So in this case we'll be having just one keystore (generic), and truststore we'll be copying to all the nodes. We've run into issues however, and are trying to iron that out. Interested to know if anybody in the community has taken a similar approach. We are pretty much going on the lines of following post by LastPickle http://thelastpickle.com/blog/2015/09/30/hardening-cassandra-step-by-step-part-1-server-to-server.html. Instead of creating our own CA, we are relying on Comodo. thanks Sai On Wed, Sep 21, 2016 at 10:30 AM, Eric Evans <john.eric.ev...@gmail.com> wrote: On Tue, Sep 20, 2016 at 12:57 PM, sai krishnam raju potturi <pskraj...@gmail.com> wrote: > Due to the security policies in our company, we were asked to use 3rd party > signed certs. Since we'll require to manage 100's of individual certs, we > wanted to know if there is a work around with a generic keystore and > truststore. Can you explain what you mean by "generic keystore"? Are you looking to create keystores signed by a self-signed root CA (distributed via a truststore)? -- Eric Evans john.eric.ev...@gmail.com
