txthai/create-cassandra-ssl-certificates.sh

## create-cassandra-ssl-certificates.sh
#!/bin/bash

# Based on http://docs.datastax.com/en/archived/cassandra/3.x/cassandra/configuration/secureSSLCertWithCA.html
# Script can be execute on each Cassandra node or on a single Cassandra node
# If executed on a single node, transfer TrustStore and Node KeyStore files to each node

# Define Cassandra node IPs
CSC1="10.90.209.155"
CSC2="10.90.209.196"
CSC3="10.90.209.199"

# Location for all certificates and working files
CSC_CONF_DIR="/ds/cassandra/conf/"

# File names
ROOT_CA_CONF="gen_rootCa_cert.conf"
ROOT_CA_KEY="CSCRootCA.key"
ROOT_CA_CRT="CSCRootCA.crt"

# Certificate details
ROOT_CA_ALIAS="CSCRootCA"
COUNTRY="US"
ORG="DataRecipe"
ORG_UNIT="CSC"
COMMON_NAME=$ROOT_CA_ALIAS

# Passwords and key size
CERT_PASS="myPass"
KEY_SIZE="2048"
KEY_PASS="myKeyPass"
STORE_PASS="truststorePass"


# Change to certificate directory
cd CSC_CONF_DIR

# Create root CA certificate configuration file
echo '[ req ]'                                      >  $ROOT_CA_CONF
echo 'distinguished_name = req_distinguished_name'  >> $ROOT_CA_CONF
echo 'prompt             = no'                      >> $ROOT_CA_CONF
echo 'output_password    = $CERT_PASS'              >> $ROOT_CA_CONF
echo 'default_bits       = $KEY_SIZE'               >> $ROOT_CA_CONF
echo ''                                             >> $ROOT_CA_CONF
echo '[ req_distinguished_name ]'                   >> $ROOT_CA_CONF
echo 'C                  = $COUNTRY'                >> $ROOT_CA_CONF
echo 'O                  = $ORG'                    >> $ROOT_CA_CONF
echo 'OU                 = $ORG_UNIT'               >> $ROOT_CA_CONF
echo 'CN                 = $COMMON_NAME'            >> $ROOT_CA_CONF


# Create a root CA certificate and key
openssl req \
-config $ROOT_CA_CONF \
-new \
-x509 \
-nodes \
-subj /CN=$COMMON_NAME/OU=CSC/O=$ORG/C=$COUNTRY/ \
-keyout $ROOT_CA_KEY \
-out $ROOT_CA_CRT \
-days 365


# Verify the CSCRootCA certificate
openssl x509 -in $ROOT_CA_CRT -text -noout


# Generate public/private key pair and keystore for each node
# CSC1
CSC_HOST=$CSC1
keytool \
-genkeypair \
-keyalg RSA \
-alias $CSC_HOST \
-keystore $CSC_HOST.jks \
-storepass $KEY_PASS \
-keypass $KEY_PASS \
-validity 365 \
-keysize $KEY_SIZE \
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"
# CSC2
CSC_HOST=$CSC2
keytool \
-genkeypair \
-keyalg RSA \
-alias $CSC_HOST \
-keystore $CSC_HOST.jks \
-storepass $KEY_PASS \
-keypass $KEY_PASS \
-validity 365 \
-keysize $KEY_SIZE \
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"
# CSC3
CSC_HOST=$CSC3
keytool \
-genkeypair \
-keyalg RSA \
-alias $CSC_HOST \
-keystore $CSC_HOST.jks \
-storepass $KEY_PASS \
-keypass $KEY_PASS \
-validity 365 \
-keysize $KEY_SIZE \
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"


# Check certificates
# CSC1
CSC_HOST=$CSC1
keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS
# CSC2
CSC_HOST=$CSC2
keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS
# CSC3
CSC_HOST=$CSC3
keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS


# Export certificate signing request (CSR) for each node
# CSC1
CSC_HOST=$CSC1
keytool \
-certreq \
-keystore $CSC_HOST.jks \
-alias $CSC_HOST \
-file $CSC_HOST.csr \
-keypass $KEY_PASS \
-storepass $KEY_PASS \
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"
# CSC2
CSC_HOST=$CSC2
keytool \
-certreq \
-keystore $CSC_HOST.jks \
-alias $CSC_HOST \
-file $CSC_HOST.csr \
-keypass $KEY_PASS \
-storepass $KEY_PASS \
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"
# CSC3
CSC_HOST=$CSC3
keytool \
-certreq \
-keystore $CSC_HOST.jks \
-alias $CSC_HOST \
-file $CSC_HOST.csr \
-keypass $KEY_PASS \
-storepass $KEY_PASS \
-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"


# Sign node certificate with CSCRootCA for each node
# CSC1
CSC_HOST=$CSC1
openssl x509 \
-req \
-CA $ROOT_CA_CRT \
-CAkey $ROOT_CA_KEY \
-in $CSC_HOST.csr \
-out $CSC_HOST.crt_signed \
-days 365 \
-CAcreateserial \
-passin pass:$CERT_PASS
# CSC2
CSC_HOST=$CSC2
openssl x509 \
-req \
-CA $ROOT_CA_CRT \
-CAkey $ROOT_CA_KEY \
-in $CSC_HOST.csr \
-out $CSC_HOST.crt_signed \
-days 365 \
-CAcreateserial \
-passin pass:$CERT_PASS
# CSC3
CSC_HOST=$CSC3
openssl x509 \
-req \
-CA $ROOT_CA_CRT \
-CAkey $ROOT_CA_KEY \
-in $CSC_HOST.csr \
-out $CSC_HOST.crt_signed \
-days 365 \
-CAcreateserial \
-passin pass:$CERT_PASS


# Verify the signed certificate for each node
# CSC1
CSC_HOST=$CSC1
openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed
# CSC2
CSC_HOST=$CSC2
openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed
# CSC3
CSC_HOST=$CSC3
openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed


# Import CSCRootCA certificate to each node keystore
# CSC1
CSC_HOST=$CSC1
keytool \
-importcert \
-keystore $CSC_HOST.jks \
-alias $ROOT_CA_ALIAS \
-file $ROOT_CA_CRT \
-noprompt \
-keypass $KEY_PASS \
-storepass $KEY_PASS
# CSC2
CSC_HOST=$CSC2
keytool \
-importcert \
-keystore $CSC_HOST.jks \
-alias $ROOT_CA_ALIAS \
-file $ROOT_CA_CRT \
-noprompt \
-keypass $KEY_PASS \
-storepass $KEY_PASS
# CSC3
CSC_HOST=$CSC3
keytool \
-importcert \
-keystore $CSC_HOST.jks \
-alias $ROOT_CA_ALIAS \
-file $ROOT_CA_CRT \
-noprompt \
-keypass $KEY_PASS \
-storepass $KEY_PASS


# Import node's signed certificate into node keystore for each node
# CSC1
CSC_HOST=$CSC1
keytool \
-importcert \
-keystore $CSC_HOST.jks \
-alias $CSC_HOST \
-file $CSC_HOST.crt_signed \
-noprompt \
-keypass $KEY_PASS \
-storepass $KEY_PASS
# CSC2
CSC_HOST=$CSC2
keytool \
-importcert \
-keystore $CSC_HOST.jks \
-alias $CSC_HOST \
-file $CSC_HOST.crt_signed \
-noprompt \
-keypass $KEY_PASS \
-storepass $KEY_PASS
# CSC3
CSC_HOST=$CSC3
keytool \
-importcert \
-keystore $CSC_HOST.jks \
-alias $CSC_HOST \
-file $CSC_HOST.crt_signed \
-noprompt \
-keypass $KEY_PASS \
-storepass $KEY_PASS


# Create a server truststore
keytool \
-importcert \
-keystore generic-server-truststore.jks \
-alias $ROOT_CA_ALIAS \
-file $ROOT_CA_CRT \
-noprompt \
-keypass $CERT_PASS \
-storepass $STORE_PASS


# Inspect truststore
keytool -list -keystore generic-server-truststore.jks -storepass $STORE_PASS


# Copy the truststore file to each node, for example:
# cp generic-server-truststore.jks /usr/local/lib/cassandra/conf/server-truststore.jks


# Copy the node keystore file to each node, for example:
# CSC1
# CSC_HOST=$CSC1
# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks
# CSC2
# CSC_HOST=$CSC2
# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks
# CSC3
# CSC_HOST=$CSC3
# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks
	#!/bin/bash

	# Based on http://docs.datastax.com/en/archived/cassandra/3.x/cassandra/configuration/secureSSLCertWithCA.html
	# Script can be execute on each Cassandra node or on a single Cassandra node
	# If executed on a single node, transfer TrustStore and Node KeyStore files to each node

	# Define Cassandra node IPs
	CSC1="10.90.209.155"
	CSC2="10.90.209.196"
	CSC3="10.90.209.199"

	# Location for all certificates and working files
	CSC_CONF_DIR="/ds/cassandra/conf/"

	# File names
	ROOT_CA_CONF="gen_rootCa_cert.conf"
	ROOT_CA_KEY="CSCRootCA.key"
	ROOT_CA_CRT="CSCRootCA.crt"

	# Certificate details
	ROOT_CA_ALIAS="CSCRootCA"
	COUNTRY="US"
	ORG="DataRecipe"
	ORG_UNIT="CSC"
	COMMON_NAME=$ROOT_CA_ALIAS

	# Passwords and key size
	CERT_PASS="myPass"
	KEY_SIZE="2048"
	KEY_PASS="myKeyPass"
	STORE_PASS="truststorePass"


	# Change to certificate directory
	cd CSC_CONF_DIR

	# Create root CA certificate configuration file
	echo '[ req ]' > $ROOT_CA_CONF
	echo 'distinguished_name = req_distinguished_name' >> $ROOT_CA_CONF
	echo 'prompt = no' >> $ROOT_CA_CONF
	echo 'output_password = $CERT_PASS' >> $ROOT_CA_CONF
	echo 'default_bits = $KEY_SIZE' >> $ROOT_CA_CONF
	echo '' >> $ROOT_CA_CONF
	echo '[ req_distinguished_name ]' >> $ROOT_CA_CONF
	echo 'C = $COUNTRY' >> $ROOT_CA_CONF
	echo 'O = $ORG' >> $ROOT_CA_CONF
	echo 'OU = $ORG_UNIT' >> $ROOT_CA_CONF
	echo 'CN = $COMMON_NAME' >> $ROOT_CA_CONF


	# Create a root CA certificate and key
	openssl req \
	-config $ROOT_CA_CONF \
	-new \
	-x509 \
	-nodes \
	-subj /CN=$COMMON_NAME/OU=CSC/O=$ORG/C=$COUNTRY/ \
	-keyout $ROOT_CA_KEY \
	-out $ROOT_CA_CRT \
	-days 365


	# Verify the CSCRootCA certificate
	openssl x509 -in $ROOT_CA_CRT -text -noout


	# Generate public/private key pair and keystore for each node
	# CSC1
	CSC_HOST=$CSC1
	keytool \
	-genkeypair \
	-keyalg RSA \
	-alias $CSC_HOST \
	-keystore $CSC_HOST.jks \
	-storepass $KEY_PASS \
	-keypass $KEY_PASS \
	-validity 365 \
	-keysize $KEY_SIZE \
	-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"
	# CSC2
	CSC_HOST=$CSC2
	keytool \
	-genkeypair \
	-keyalg RSA \
	-alias $CSC_HOST \
	-keystore $CSC_HOST.jks \
	-storepass $KEY_PASS \
	-keypass $KEY_PASS \
	-validity 365 \
	-keysize $KEY_SIZE \
	-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"
	# CSC3
	CSC_HOST=$CSC3
	keytool \
	-genkeypair \
	-keyalg RSA \
	-alias $CSC_HOST \
	-keystore $CSC_HOST.jks \
	-storepass $KEY_PASS \
	-keypass $KEY_PASS \
	-validity 365 \
	-keysize $KEY_SIZE \
	-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"


	# Check certificates
	# CSC1
	CSC_HOST=$CSC1
	keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS
	# CSC2
	CSC_HOST=$CSC2
	keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS
	# CSC3
	CSC_HOST=$CSC3
	keytool -list -keystore $CSC_HOST.jks -storepass $KEY_PASS


	# Export certificate signing request (CSR) for each node
	# CSC1
	CSC_HOST=$CSC1
	keytool \
	-certreq \
	-keystore $CSC_HOST.jks \
	-alias $CSC_HOST \
	-file $CSC_HOST.csr \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS \
	-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"
	# CSC2
	CSC_HOST=$CSC2
	keytool \
	-certreq \
	-keystore $CSC_HOST.jks \
	-alias $CSC_HOST \
	-file $CSC_HOST.csr \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS \
	-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"
	# CSC3
	CSC_HOST=$CSC3
	keytool \
	-certreq \
	-keystore $CSC_HOST.jks \
	-alias $CSC_HOST \
	-file $CSC_HOST.csr \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS \
	-dname "CN=$CSC_HOST, OU=$ORG_UNIT, O=$ORG, C=$COUNTRY"


	# Sign node certificate with CSCRootCA for each node
	# CSC1
	CSC_HOST=$CSC1
	openssl x509 \
	-req \
	-CA $ROOT_CA_CRT \
	-CAkey $ROOT_CA_KEY \
	-in $CSC_HOST.csr \
	-out $CSC_HOST.crt_signed \
	-days 365 \
	-CAcreateserial \
	-passin pass:$CERT_PASS
	# CSC2
	CSC_HOST=$CSC2
	openssl x509 \
	-req \
	-CA $ROOT_CA_CRT \
	-CAkey $ROOT_CA_KEY \
	-in $CSC_HOST.csr \
	-out $CSC_HOST.crt_signed \
	-days 365 \
	-CAcreateserial \
	-passin pass:$CERT_PASS
	# CSC3
	CSC_HOST=$CSC3
	openssl x509 \
	-req \
	-CA $ROOT_CA_CRT \
	-CAkey $ROOT_CA_KEY \
	-in $CSC_HOST.csr \
	-out $CSC_HOST.crt_signed \
	-days 365 \
	-CAcreateserial \
	-passin pass:$CERT_PASS


	# Verify the signed certificate for each node
	# CSC1
	CSC_HOST=$CSC1
	openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed
	# CSC2
	CSC_HOST=$CSC2
	openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed
	# CSC3
	CSC_HOST=$CSC3
	openssl verify -CAfile $ROOT_CA_CRT $CSC_HOST.crt_signed


	# Import CSCRootCA certificate to each node keystore
	# CSC1
	CSC_HOST=$CSC1
	keytool \
	-importcert \
	-keystore $CSC_HOST.jks \
	-alias $ROOT_CA_ALIAS \
	-file $ROOT_CA_CRT \
	-noprompt \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS
	# CSC2
	CSC_HOST=$CSC2
	keytool \
	-importcert \
	-keystore $CSC_HOST.jks \
	-alias $ROOT_CA_ALIAS \
	-file $ROOT_CA_CRT \
	-noprompt \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS
	# CSC3
	CSC_HOST=$CSC3
	keytool \
	-importcert \
	-keystore $CSC_HOST.jks \
	-alias $ROOT_CA_ALIAS \
	-file $ROOT_CA_CRT \
	-noprompt \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS


	# Import node's signed certificate into node keystore for each node
	# CSC1
	CSC_HOST=$CSC1
	keytool \
	-importcert \
	-keystore $CSC_HOST.jks \
	-alias $CSC_HOST \
	-file $CSC_HOST.crt_signed \
	-noprompt \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS
	# CSC2
	CSC_HOST=$CSC2
	keytool \
	-importcert \
	-keystore $CSC_HOST.jks \
	-alias $CSC_HOST \
	-file $CSC_HOST.crt_signed \
	-noprompt \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS
	# CSC3
	CSC_HOST=$CSC3
	keytool \
	-importcert \
	-keystore $CSC_HOST.jks \
	-alias $CSC_HOST \
	-file $CSC_HOST.crt_signed \
	-noprompt \
	-keypass $KEY_PASS \
	-storepass $KEY_PASS


	# Create a server truststore
	keytool \
	-importcert \
	-keystore generic-server-truststore.jks \
	-alias $ROOT_CA_ALIAS \
	-file $ROOT_CA_CRT \
	-noprompt \
	-keypass $CERT_PASS \
	-storepass $STORE_PASS


	# Inspect truststore
	keytool -list -keystore generic-server-truststore.jks -storepass $STORE_PASS


	# Copy the truststore file to each node, for example:
	# cp generic-server-truststore.jks /usr/local/lib/cassandra/conf/server-truststore.jks


	# Copy the node keystore file to each node, for example:
	# CSC1
	# CSC_HOST=$CSC1
	# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks
	# CSC2
	# CSC_HOST=$CSC2
	# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks
	# CSC3
	# CSC_HOST=$CSC3
	# cp $CSC_HOST.jks /usr/local/lib/cassandra/conf/$CSC_HOST.jks