Cassandra/Tools/cassandra-ca-manager

From Wikitech
Jump to navigation Jump to search

Easily manage Java keystores using a self-signed certificate authority.

Project

Usage

Step 1

Create a YAML-formatted manifest describing the certificate authority and machine certificates.

# The top-level working directory
base_directory: /path/to/base/directory

# The Certificate Authority
authority:
  key:
    size: 2048
  cert:
    subject:
      organization: WMF
      country: US
      unit: Services
    valid: 365
  password: qwerty

# Java keystores
keystores:
  - name: restbase1001-a
    key:
      size: 2048
    cert:
      subject:
        organization: WMF
        country: US
        unit: Services
      valid: 365
    password: qwerty

  - name: restbase1001-b
    key:
      size: 2048
    cert:
      subject:
        organization: WMF
        country: US
        unit: Services
      valid: 365
    password: qwerty

  - name: restbase1002-a
    key:
      size: 2048
    cert:
      subject:
        organization: WMF
        country: US
        unit: Services
      valid: 365
    password: qwerty

Step 2

Run the script with the manifest as its only argument.

$ cassandra-ca-manager manifest.yaml
$ tree /path/to/base/directory
/path/to/base/directory
├── restbase1001-a
│   ├── restbase1001-a.crt
│   └── restbase1001-a.csr
│   └── restbase1001-a.kst
├── restbase1001-b
│   ├── restbase1001-b.crt
│   └── restbase1001-b.csr
│   └── restbase1001-b.kst
├── restbase1002-a
│   ├── restbase1002-a.crt
│   └── restbase1002-a.csr
│   └── restbase1002-a.kst
├── rootCa.crt
├── rootCa.key
├── rootCa.srl
└── truststore

3 directories, 13 files

Note: cassandra-ca-manager is idempotent, it will not overwrite any existing material in the base directory. To create additional keystores later, simply add their definitions to the manifest, and re-run the script.

Step 3

Copy the resulting truststore and *.kst files to their respective machines, and configure server and/or client encryption accordingly.