You should be using a root certificate for signing all the node certificates to create a trust chain. That way nodes won't have to explicitly know about each other, only the root certificate.
This post has some details: http://thelastpickle.com/blog/2015/09/30/hardening-cassandra-step-by-step-part-1-server-to-server.html On Tue, Nov 22, 2016 at 9:07 PM, Jai Bheemsen Rao Dhanwada < jaibheem...@gmail.com> wrote: > yes, I am generating separate certificate for each node. > even if I use the same certificate how does it helps? > > On Mon, Nov 21, 2016 at 9:02 PM, Vladimir Yudovin <vla...@winguzone.com> > wrote: > >> Hi Jai, >> >> so do you generate separate certificate for each node? Why not use one >> certificate for all nodes? >> >> Best regards, Vladimir Yudovin, >> >> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud >> CassandraLaunch your cluster in minutes.* >> >> >> ---- On Mon, 21 Nov 2016 17:25:11 -0500*Jai Bheemsen Rao Dhanwada >> <jaibheem...@gmail.com <jaibheem...@gmail.com>>* wrote ---- >> >> Hello, >> >> I am setting up encryption on one of my cassandra cluster using the below >> procedure. >> >> server_encryption_options: >> internode_encryption: all >> keystore: /etc/keystore >> keystore_password: xxxxx >> truststore: /etc/truststore >> truststore_password: xxxxx >> >> http://docs.oracle.com/javase/6/docs/technotes/guides/securi >> ty/jsse/JSSERefGuide.html#CreateKeystore >> >> However, one difficulty with this approach is whenever I am adding a new >> node I had to rolling restart all the C* nodes in the cluster, so that the >> truststore is updated with the new server information. >> >> Is there a way to automatically trigger a reload so that the truststore >> is updated on the existing machines without restart. >> >> Can someone please help ? >> >> >> > -- ----------------- Nate McCall Wellington, NZ @zznate CTO Apache Cassandra Consulting http://www.thelastpickle.com
