cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vishwajeet Singh <>
Subject Issue with Cassandra client to node security using SSL
Date Tue, 27 Oct 2015 06:07:53 GMT

I am using cassandra 2.1 . My goal is to do cassandra client to node
security using SSL with my self-signed CA.

Self-signed CA is giving me following files.
1. ca.crt
2. ca.key
3. client.csr
4. client.crt
5. client.key
6. client.p12

I am creating .jks (client.jks) file from client.p12 using below command so
that I can use client.jks as a keystore and truststore in cassandra.yaml
file. (We can't use .p12 file as a keystore and truststore because it's not
in X.509 format).

"keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12
-destkeystore client.jks -deststoretype jks -deststorepass <passwd>"

I have to connect cassandra with cql.

I am creating cqlshrc file in .cassandra directory and I am putting
client.crt as a certfile and usercert. I am putting client.key as a userkey.

When I am running "cqlsh --ssl". I am getting error (mentioned below).

"Connection error: ('Unable to connect to any servers', {'':
error(1, u"Tried connecting to [('', 9042)]. Last error: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)")})"

Second thing is when I am using ca.key and ca.crt and again creating client
certificate(node_cer_user1.pem), client key(node_key_user1.pem) and
keystore(node.keystore) using below commands then It's working.

1. keytool -importcert -alias <clusterCA> -file ca.crt -keystore
<clustertruststore> -storepass <passwd>
2. keytool -genkeypair -alias <node> -keyalg RSA -keysize 2048 -keypass
<passwd> -keystore <node.keystore> -storepass <passwd> -validity 365
3. keytool -keystore <node.keystore> -alias <node> -certreq -file
<node.cert> -storepass <passwd> -keypass <passwd>
4. openssl x509 -req -CA ca.crt -CAkey ca.key -in <node.cert> -out
<node.signed> -days 365 -CAcreateserial
5. keytool -keystore <node.keystore> -storepass <passwd> -alias <clusterCA>
-import -file ca.crt -noprompt
6. keytool -keystore <node.keystore> -storepass <passwd> -alias <node>
-import -file <node.signed> -keypass <passwd>
7. keytool -importkeystore -srckeystore <node.keystore> -destkeystore
<node_user1.p12> -deststoretype PKCS12
8. openssl pkcs12 -in <node_user1.p12> -nokeys -out <node_cer_user1.pem>
-passin pass:<passwd>
9. openssl pkcs12 -in <node_user1.p12> -nodes -nocerts -out
<node_key_user1.pem> -passin pass:<passwd>

Self-signed CA is giving me client.crt, client.key and keystore, then Why
It's not working? Why I have to create certificates again using ca.crt and


View raw message