You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@cassandra.apache.org by Eric Evans <jo...@gmail.com> on 2016/08/22 20:09:09 UTC
[ANN]: Cert management with self-signed CA for Cassandra (and
presumably other Java stuff)
Hi,
The topic of configuring encryption comes up fairly often, so I
thought I'd make available to others what we use at the Wikimedia
Foundation.
https://github.com/eevans/cassandra-ca-manager
It allows you to define a self-signed root CA, along with keys and
certs for each of your machines in a YAML manifest file. The script
reads the manifest and generates everything you need (including Java
keystore and truststore files), and drops them in a directory of your
choosing.
It's nothing fancy, but it works pretty well, and beats looking up all
of the baroque commands once a year to do it manually.
Cheers,
--
Eric Evans
john.eric.evans@gmail.com
Re: [ANN]: Cert management with self-signed CA for Cassandra (and
presumably other Java stuff)
Posted by Jason Brown <ja...@gmail.com>.
+1. I recently discovered that a coworker had built, more or less, the same
thing just a month or two ago for internal/testing uses. And I know I've
seen/heard it elsewhere, so yeah, this would be great!
On Monday, August 22, 2016, Nate McCall <na...@thelastpickle.com> wrote:
> > > Any reason to not include this in the docs/operating or as a utility in
> repo
> > > to make it easier for end users to find all information in one place?
> Know
> > > this has come up on other projects and we always fall into the same
> > > search/reply trap as well
> >
> > No, if there were consensus that was worthwhile, I would have no
> objections.
> >
>
> It's worthwhile. I've had to do this a couple of times with different CM
> systems as work-for-hire and it's always a PITA. A general purpose utility
> would be awesome.
>
Re: [ANN]: Cert management with self-signed CA for Cassandra (and
presumably other Java stuff)
Posted by Nate McCall <na...@thelastpickle.com>.
> > Any reason to not include this in the docs/operating or as a utility in
repo
> > to make it easier for end users to find all information in one place?
Know
> > this has come up on other projects and we always fall into the same
> > search/reply trap as well
>
> No, if there were consensus that was worthwhile, I would have no
objections.
>
It's worthwhile. I've had to do this a couple of times with different CM
systems as work-for-hire and it's always a PITA. A general purpose utility
would be awesome.
Re: [ANN]: Cert management with self-signed CA for Cassandra (and
presumably other Java stuff)
Posted by Brandon Williams <dr...@gmail.com>.
+1
On Aug 22, 2016 9:51 PM, "Eric Evans" <ee...@wikimedia.org> wrote:
> On Mon, Aug 22, 2016 at 5:28 PM, Jake Farrell <jf...@apache.org> wrote:
> > Any reason to not include this in the docs/operating or as a utility in
> repo
> > to make it easier for end users to find all information in one place?
> Know
> > this has come up on other projects and we always fall into the same
> > search/reply trap as well
>
> No, if there were consensus that was worthwhile, I would have no
> objections.
>
>
> --
> Eric Evans
> eevans@wikimedia.org
>
Re: [ANN]: Cert management with self-signed CA for Cassandra (and
presumably other Java stuff)
Posted by Eric Evans <ee...@wikimedia.org>.
On Mon, Aug 22, 2016 at 5:28 PM, Jake Farrell <jf...@apache.org> wrote:
> Any reason to not include this in the docs/operating or as a utility in repo
> to make it easier for end users to find all information in one place? Know
> this has come up on other projects and we always fall into the same
> search/reply trap as well
No, if there were consensus that was worthwhile, I would have no objections.
--
Eric Evans
eevans@wikimedia.org
Re: [ANN]: Cert management with self-signed CA for Cassandra (and
presumably other Java stuff)
Posted by Jake Farrell <jf...@apache.org>.
Great idea Eric
Any reason to not include this in the docs/operating or as a utility in
repo to make it easier for end users to find all information in one place?
Know this has come up on other projects and we always fall into the same
search/reply trap as well
-Jake
On Monday, August 22, 2016, Eric Evans <jo...@gmail.com> wrote:
> Hi,
>
> The topic of configuring encryption comes up fairly often, so I
> thought I'd make available to others what we use at the Wikimedia
> Foundation.
>
> https://github.com/eevans/cassandra-ca-manager
>
> It allows you to define a self-signed root CA, along with keys and
> certs for each of your machines in a YAML manifest file. The script
> reads the manifest and generates everything you need (including Java
> keystore and truststore files), and drops them in a directory of your
> choosing.
>
> It's nothing fancy, but it works pretty well, and beats looking up all
> of the baroque commands once a year to do it manually.
>
> Cheers,
>
> --
> Eric Evans
> john.eric.evans@gmail.com <javascript:;>
>
Re: [ANN]: Cert management with self-signed CA for Cassandra (and
presumably other Java stuff)
Posted by Jake Farrell <jf...@apache.org>.
Great idea Eric
Any reason to not include this in the docs/operating or as a utility in
repo to make it easier for end users to find all information in one place?
Know this has come up on other projects and we always fall into the same
search/reply trap as well
-Jake
On Monday, August 22, 2016, Eric Evans <jo...@gmail.com> wrote:
> Hi,
>
> The topic of configuring encryption comes up fairly often, so I
> thought I'd make available to others what we use at the Wikimedia
> Foundation.
>
> https://github.com/eevans/cassandra-ca-manager
>
> It allows you to define a self-signed root CA, along with keys and
> certs for each of your machines in a YAML manifest file. The script
> reads the manifest and generates everything you need (including Java
> keystore and truststore files), and drops them in a directory of your
> choosing.
>
> It's nothing fancy, but it works pretty well, and beats looking up all
> of the baroque commands once a year to do it manually.
>
> Cheers,
>
> --
> Eric Evans
> john.eric.evans@gmail.com <javascript:;>
>