You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@cassandra.apache.org by Vishwajeet Singh <vi...@gmail.com> on 2015/10/29 08:06:19 UTC

Cassandra security using openssl or keytool

Hi,

I saw Cassandra documentation.

http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html

I found this line "SSL certificates must be generated using keytool".

Can somebody explain me why SSL certificates must be generated using
keytool?

Can we use OpenSSL for generating certificates?
I am trying using openssl but it's not working. Why?

Thanks,
Vishwajeet

Re: Cassandra security using openssl or keytool

Posted by "Jason J. W. Williams" <ja...@gmail.com>.

>
> I certainly don't vouch for the advisability of attempting a task you've
> described as a "real pain" ... but if OP wants/needs to, it's their
> funeral? :D
>

Agreed. I just wanted to elaborate what a "real pain" meant so OP would
know I wasn't just blowing him off.

-J

Re: Cassandra security using openssl or keytool

Posted by Robert Coli <rc...@eventbrite.com>.

On Thu, Oct 29, 2015 at 4:18 PM, Jason J. W. Williams <
jasonjwwilliams@gmail.com> wrote:

> I wasted 4-5 hours of my life recently importing an OpenSSL key in a PEM
>> into a Cassandra keystore using exactly that article as a starting point
>> (the server's hostname already had a certificate and key in our ops CA, and
>> for various reasons we didn't want to revoke and reissue it.).
>>
>
I certainly don't vouch for the advisability of attempting a task you've
described as a "real pain" ... but if OP wants/needs to, it's their
funeral? :D

=Rob

Re: Cassandra security using openssl or keytool

Posted by "Jason J. W. Williams" <ja...@gmail.com>.

>
> Google words like :
>
> "
> import openssl private key into keytool
> "
>
> Find results like :
>
>
> http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i/8224863#8224863
>
>
I wasted 4-5 hours of my life recently importing an OpenSSL key in a PEM
into a Cassandra keystore using exactly that article as a starting point
(the server's hostname already had a certificate and key in our ops CA, and
for various reasons we didn't want to revoke and reissue it.).

Even when you get the key imported, keytool will then frequently refuse to
pair that key entry with the certificate when you import the
certificate...and it will instead store the certificate in a new keystore
entry. Which won't work because the alias names on the keystore entries for
the key and certificate will be different (you need one entry storing both
key and certificate).  I did _finally_ get it to work but I can't tell you
how I did it...it was a lot of manually editing PEM files, converting them
to DERs and then trying every possible combination of keytool import flags.

-J

Re: Cassandra security using openssl or keytool

Posted by Robert Coli <rc...@eventbrite.com>.

On Thu, Oct 29, 2015 at 1:08 AM, Vishwajeet Singh <vi...@gmail.com>
wrote:

> But I want to do using OpenSSL because It's my requirement.
>
> Can somebody please guide me, How I will do Cassandra Client to node
> security using SSL and I want to use OpenSSL (Not keytool).
>

Google words like :

"
import openssl private key into keytool
"

Find results like :

http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-i/8224863#8224863

?

It looks like, as Jason says, "a real pain" but should be doable if you
really have a requirement of using OpenSSL to generate the private key?

If you want to somehow not use keytool at all in the process, I think
you're out of luck.

=Rob

Re: Cassandra security using openssl or keytool

Posted by Vishwajeet Singh <vi...@gmail.com>.

But I want to do using OpenSSL because It's my requirement.

Can somebody please guide me, How I will do Cassandra Client to node
security using SSL and I want to use OpenSSL (Not keytool).

On Thu, Oct 29, 2015 at 12:40 PM, Jason Williams <ja...@gmail.com>
wrote:

> Because when you use keytool it stores the generated private key in the
> keystore and tags it waiting for the certificate. Then when you import the
> issued certificate it is paired in the same record with the key. It's a
> real pain to get OpenSSL encoded private keys into a keytool keystore.
> Don't fight it, just use keytool. :)
>
> Sent via iPhone
>
> On Oct 29, 2015, at 00:06, Vishwajeet Singh <vi...@gmail.com>
> wrote:
>
> Hi,
>
> I saw Cassandra documentation.
>
>
> http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html
>
> I found this line "SSL certificates must be generated using keytool".
>
> Can somebody explain me why SSL certificates must be generated using
> keytool?
>
> Can we use OpenSSL for generating certificates?
> I am trying using openssl but it's not working. Why?
>
> Thanks,
> Vishwajeet
>
>

Re: Cassandra security using openssl or keytool

Posted by Jason Williams <ja...@gmail.com>.

Because when you use keytool it stores the generated private key in the keystore and tags it waiting for the certificate. Then when you import the issued certificate it is paired in the same record with the key. It's a real pain to get OpenSSL encoded private keys into a keytool keystore. Don't fight it, just use keytool. :)

Sent via iPhone

> On Oct 29, 2015, at 00:06, Vishwajeet Singh <vi...@gmail.com> wrote:
> 
> Hi,
> 
> I saw Cassandra documentation. 
> 
> http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html
> 
> I found this line "SSL certificates must be generated using keytool".
> 
> Can somebody explain me why SSL certificates must be generated using keytool?
> 
> Can we use OpenSSL for generating certificates?
> I am trying using openssl but it's not working. Why?
> 
> Thanks,
> Vishwajeet