Created
February 25, 2017 23:48
-
-
Save txthai/235d60164db6db938e7ee583d88d7709 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Based on http://docs.datastax.com/en/archived/cassandra/3.x/cassandra/configuration/secureSSLCertWithCA.html | |
# Script can be execute on each Cassandra node or on a single Cassandra node | |
# If executed on a single node, transfer TrustStore and Node KeyStore files to each node | |
# Define Cassandra node IPs | |
CSC1="10.90.209.155" | |
CSC2="10.90.209.196" | |
CSC3="10.90.209.199" | |
# Location for all certificates and working files | |
CSC_CONF_DIR="/ds/cassandra/conf/" | |
# File names | |
ROOT_CA_CONF="gen_rootCa_cert.conf" | |
ROOT_CA_KEY="CSCRootCA.key" | |
ROOT_CA_CRT="CSCRootCA.crt" | |
# Certificate details | |
ROOT_CA_ALIAS="CSCRootCA" | |
COUNTRY="US" | |
ORG="DataRecipe" | |
ORG_UNIT="CSC" | |
COMMON_NAME=$ROOT_CA_ALIAS | |
# Passwords and key size | |
CERT_PASS="myPass" | |
KEY_SIZE="2048" | |
KEY_PASS="myKeyPass" | |
STORE_PASS="truststorePass" | |
# Change to certificate directory | |
cd CSC_CONF_DIR | |
# Create root CA certificate configuration file | |
echo '[ req ]' > $ROOT_CA_CONF | |
echo 'distinguished_name = req_distinguished_name' >> $ROOT_CA_CONF | |
echo 'prompt = no' >> $ROOT_CA_CONF | |
echo 'output_password = $CERT_PASS' >> $ROOT_CA_CONF | |
echo 'default_bits = $KEY_SIZE' >> $ROOT_CA_CONF | |
echo '' >> $ROOT_CA_CONF | |
echo '[ req_distinguished_name ]' >> $ROOT_CA_CONF | |
echo 'C = $COUNTRY' >> $ROOT_CA_CONF | |
echo 'O = $ORG' >> $ROOT_CA_CONF | |
echo 'OU = $ORG_UNIT' >> $ROOT_CA_CONF | |
echo 'CN = $COMMON_NAME' >> $ROOT_CA_CONF | |
# Create a root CA certificate and key | |
openssl req \ | |
-config $ROOT_CA_CONF \ | |
-new \ | |
-x509 \ | |
-nodes \ | |
-subj /CN=$COMMON_NAME/OU=CSC/O=$ORG/C=$COUNTRY/ \ | |
-keyout $ROOT_CA_KEY \ | |
-out $ROOT_CA_CRT \ | |
-days 365 | |
# Verify the CSCRootCA certificate | |
openssl x509 -in $ROOT_CA_CRT -text -noout | |
# Generate public/private key pair and keystore for each node | |
# CSC1 | |
CSC_HOST=$CSC1 | |
keytool \ | |
-genkeypair \ | |
-keyalg RSA \ | |
-alias $CSC_HOST \ | |
-keystore $CSC_HOST.jks \ | |
-storepass $KEY_PASS \ | |
-keypass $KEY_PASS \ | |
-validity 365 \ | |
-keysize $KEY_SIZE \ | |
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY" | |
# CSC2 | |
CSC_HOST=$CSC2 | |
keytool \ | |
-genkeypair \ | |
-keyalg RSA \ | |
-alias $CSC_HOST \ | |
-keystore $CSC_HOST.jks \ | |
-storepass $KEY_PASS \ | |
-keypass $KEY_PASS \ | |
-validity 365 \ | |
-keysize $KEY_SIZE \ | |
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY" | |
# CSC3 | |
CSC_HOST=$CSC3 | |
keytool \ | |
-genkeypair \ | |
-keyalg RSA \ | |
-alias $CSC_HOST \ | |
-keystore $CSC_HOST.jks \ | |
-storepass $KEY_PASS \ | |
-keypass $KEY_PASS \ | |
-validity 365 \ | |
-keysize $KEY_SIZE \ | |
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY" | |
# Check certificates | |
# CSC1 | |
CSC_HOST=$CSC1 | |
keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS | |
# CSC2 | |
CSC_HOST=$CSC2 | |
keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS | |
# CSC3 | |
CSC_HOST=$CSC3 | |
keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS | |
# Export certificate signing request (CSR) for each node | |
# CSC1 | |
CSC_HOST=$CSC1 | |
keytool \ | |
-certreq \ | |
-keystore $CSC_HOST.jks \ | |
-alias $CSC_HOST \ | |
-file $CSC_HOST.csr \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS \ | |
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY" | |
# CSC2 | |
CSC_HOST=$CSC2 | |
keytool \ | |
-certreq \ | |
-keystore $CSC_HOST.jks \ | |
-alias $CSC_HOST \ | |
-file $CSC_HOST.csr \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS \ | |
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY" | |
# CSC3 | |
CSC_HOST=$CSC3 | |
keytool \ | |
-certreq \ | |
-keystore $CSC_HOST.jks \ | |
-alias $CSC_HOST \ | |
-file $CSC_HOST.csr \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS \ | |
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY" | |
# Sign node certificate with CSCRootCA for each node | |
# CSC1 | |
CSC_HOST=$CSC1 | |
openssl x509 \ | |
-req \ | |
-CA $ROOT_CA_CRT \ | |
-CAkey $ROOT_CA_KEY \ | |
-in $CSC_HOST.csr \ | |
-out $CSC_HOST.crt_signed \ | |
-days 365 \ | |
-CAcreateserial \ | |
-passin pass:$CERT_PASS | |
# CSC2 | |
CSC_HOST=$CSC2 | |
openssl x509 \ | |
-req \ | |
-CA $ROOT_CA_CRT \ | |
-CAkey $ROOT_CA_KEY \ | |
-in $CSC_HOST.csr \ | |
-out $CSC_HOST.crt_signed \ | |
-days 365 \ | |
-CAcreateserial \ | |
-passin pass:$CERT_PASS | |
# CSC3 | |
CSC_HOST=$CSC3 | |
openssl x509 \ | |
-req \ | |
-CA $ROOT_CA_CRT \ | |
-CAkey $ROOT_CA_KEY \ | |
-in $CSC_HOST.csr \ | |
-out $CSC_HOST.crt_signed \ | |
-days 365 \ | |
-CAcreateserial \ | |
-passin pass:$CERT_PASS | |
# Verify the signed certificate for each node | |
# CSC1 | |
CSC_HOST=$CSC1 | |
openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed | |
# CSC2 | |
CSC_HOST=$CSC2 | |
openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed | |
# CSC3 | |
CSC_HOST=$CSC3 | |
openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed | |
# Import CSCRootCA certificate to each node keystore | |
# CSC1 | |
CSC_HOST=$CSC1 | |
keytool \ | |
-importcert \ | |
-keystore $CSC_HOST.jks \ | |
-alias $ROOT_CA_ALIAS \ | |
-file $ROOT_CA_CRT \ | |
-noprompt \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS | |
# CSC2 | |
CSC_HOST=$CSC2 | |
keytool \ | |
-importcert \ | |
-keystore $CSC_HOST.jks \ | |
-alias $ROOT_CA_ALIAS \ | |
-file $ROOT_CA_CRT \ | |
-noprompt \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS | |
# CSC3 | |
CSC_HOST=$CSC3 | |
keytool \ | |
-importcert \ | |
-keystore $CSC_HOST.jks \ | |
-alias $ROOT_CA_ALIAS \ | |
-file $ROOT_CA_CRT \ | |
-noprompt \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS | |
# Import node's signed certificate into node keystore for each node | |
# CSC1 | |
CSC_HOST=$CSC1 | |
keytool \ | |
-importcert \ | |
-keystore $CSC_HOST.jks \ | |
-alias $CSC_HOST \ | |
-file $CSC_HOST.crt_signed \ | |
-noprompt \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS | |
# CSC2 | |
CSC_HOST=$CSC2 | |
keytool \ | |
-importcert \ | |
-keystore $CSC_HOST.jks \ | |
-alias $CSC_HOST \ | |
-file $CSC_HOST.crt_signed \ | |
-noprompt \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS | |
# CSC3 | |
CSC_HOST=$CSC3 | |
keytool \ | |
-importcert \ | |
-keystore $CSC_HOST.jks \ | |
-alias $CSC_HOST \ | |
-file $CSC_HOST.crt_signed \ | |
-noprompt \ | |
-keypass $KEY_PASS \ | |
-storepass $KEY_PASS | |
# Create a server truststore | |
keytool \ | |
-importcert \ | |
-keystore generic-server-truststore.jks \ | |
-alias $ROOT_CA_ALIAS \ | |
-file $ROOT_CA_CRT \ | |
-noprompt \ | |
-keypass $CERT_PASS \ | |
-storepass $STORE_PASS | |
# Inspect truststore | |
keytool -list -keystore generic-server-truststore.jks -storepass $STORE_PASS | |
# Copy the truststore file to each node, for example: | |
# cp generic-server-truststore.jks /usr/local/lib/cassandra/conf/server-truststore.jks | |
# Copy the node keystore file to each node, for example: | |
# CSC1 | |
# CSC_HOST=$CSC1 | |
# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks | |
# CSC2 | |
# CSC_HOST=$CSC2 | |
# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks | |
# CSC3 | |
# CSC_HOST=$CSC3 | |
# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment