Last active
October 10, 2022 08:05
-
-
Save rsoika/aa323241aac51d16c8365c784ffadf84 to your computer and use it in GitHub Desktop.
Script to generate a key pair for encrypting the node-to-node communictaion within a cassandra cluster
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
############################################################################# | |
############################################################################# | |
# | |
# Cassandra Key Generator v1.0 | |
# | |
# This script can be used to generate a key pair to be used to encrypt the | |
# node-to-node communictaion within a cassandra cluster. | |
# | |
# The generated certificate can also be used for a client-to-node cummunication. | |
# | |
# run: ./cassandra-key-generator.sh [CLUSTER-NAME] [PASSWORD] | |
############################################################################# | |
############################################################################# | |
# Check if cluster-name and password are provided as params.... | |
if [ $# -le 1 ] | |
then | |
echo "*** Error: cluster-name and password is missing! " | |
echo "*** Usage: cassandra-key-generator.sh [CLUSTER-NAME] [PASSWORD])" | |
exit 0 | |
fi | |
#PASSWORD=cassandra | |
#CLUSTER_NAME=test | |
CLUSTER_NAME=$1 | |
PASSWORD=$2 | |
ORGANISATION="O=Imixs, L=MUC, ST=BAY, C=DE" | |
KEY_STORE_PATH="./certs" | |
mkdir -p "$KEY_STORE_PATH" | |
KEY_STORE="$KEY_STORE_PATH/cassandra.keystore" | |
PKS_KEY_STORE="$KEY_STORE_PATH/cassandra.keystore.pks12" | |
TRUST_STORE="$KEY_STORE_PATH/cassandra.truststore" | |
CLUSTER_PUBLIC_CERT="$KEY_STORE_PATH/${CLUSTER_NAME}.cer" | |
echo "**************************************************" | |
echo "generating keystore and certificates...." | |
echo "**************************************************" | |
### Cluster key setup. | |
# Create the cluster key for cluster communication. | |
keytool -genkey -keyalg RSA -alias "${CLUSTER_NAME}_cluster" -keystore "$KEY_STORE" -storepass "$PASSWORD" -keypass "$PASSWORD" \ | |
-dname "CN=$CLUSTER_NAME cluster, $ORGANISATION" \ | |
-validity 36500 | |
# Create the public key for the cluster which is used to identify nodes. | |
keytool -export -alias "${CLUSTER_NAME}_cluster" -file "$CLUSTER_PUBLIC_CERT" -keystore "$KEY_STORE" \ | |
-storepass "$PASSWORD" -keypass "$PASSWORD" -noprompt | |
# Import the identity of the cluster public cluster key into the trust store so that nodes can identify each other. | |
keytool -import -v -trustcacerts -alias "${CLUSTER_NAME}_cluster" -file "$CLUSTER_PUBLIC_CERT" -keystore "$TRUST_STORE" \ | |
-storepass "$PASSWORD" -keypass "$PASSWORD" -noprompt | |
### | |
# Note: | |
# Optional you can also generate a second key pair for the Client | |
### | |
# Create the client key for CQL. | |
#keytool -genkey -keyalg RSA -alias "${CLUSTER_NAME}_client" -keystore "$KEY_STORE" -storepass "$PASSWORD" -keypass "$PASSWORD" \ | |
#-dname "CN=$CLUSTER_NAME client, $ORGANISATION" \ | |
#-validity 36500 | |
# Create the public key for the client to identify itself. | |
#keytool -export -alias "${CLUSTER_NAME}_client" -file "$CLIENT_PUBLIC_CERT" -keystore "$KEY_STORE" \ | |
#-storepass "$PASSWORD" -keypass "$PASSWORD" -noprompt | |
# Import the identity of the client pub key into the trust store so nodes can identify this client. | |
#keytool -importcert -v -trustcacerts -alias "${CLUSTER_NAME}_client" -file "$CLIENT_PUBLIC_CERT" -keystore "$TRUST_STORE" \ | |
#-storepass "$PASSWORD" -keypass "$PASSWORD" -noprompt | |
# Creeate a pks12 keystore file | |
keytool -importkeystore -srckeystore "$KEY_STORE" -destkeystore "$PKS_KEY_STORE" -deststoretype PKCS12 \ | |
-srcstorepass "$PASSWORD" -deststorepass "$PASSWORD" | |
# create openssl cer.pem and key.pem file | |
openssl pkcs12 -in "$PKS_KEY_STORE" -nokeys -out "${KEY_STORE_PATH}/${CLUSTER_NAME}.cer.pem" -passin pass:${PASSWORD} | |
echo "${CLUSTER_NAME}.cer.pem file created" | |
openssl pkcs12 -in "$PKS_KEY_STORE" -nodes -nocerts -out "${KEY_STORE_PATH}/${CLUSTER_NAME}.key.pem" -passin pass:${PASSWORD} | |
echo "${CLUSTER_NAME}.key.pem file created" | |
echo "**************************************************" | |
echo "...completed" | |
echo "**************************************************" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment