I am interested if anyone has taken this approach to share the same keystore across all the nodes with the 3rd party root/intermediate CA existing only in the truststore. If so, please share your experience and lessons learned. Would this impact client-to-node encryption as the certificates used in internode would not have the hostnames represented in CN?
-- Jacob Shadix On Wed, Sep 21, 2016 at 11:40 AM, sai krishnam raju potturi < pskraj...@gmail.com> wrote: > hi Evans; > rather than having one individual certificate for every node, we are > looking at getting one Comodo wild-card certificate, and importing that > into the keystore. along with the intermediate CA provided by Comodo. As > far as the trust-store is concerned, we are looking at importing the > intermediate CA provided along with the signed wild-card cert by Comodo. > > So in this case we'll be having just one keystore (generic), and > truststore we'll be copying to all the nodes. We've run into issues > however, and are trying to iron that out. Interested to know if anybody in > the community has taken a similar approach. > > We are pretty much going on the lines of following post by LastPickle > http://thelastpickle.com/blog/2015/09/30/hardening-cassandra- > step-by-step-part-1-server-to-server.html. Instead of creating our own > CA, we are relying on Comodo. > > thanks > Sai > > On Wed, Sep 21, 2016 at 10:30 AM, Eric Evans <john.eric.ev...@gmail.com> > wrote: > >> On Tue, Sep 20, 2016 at 12:57 PM, sai krishnam raju potturi >> <pskraj...@gmail.com> wrote: >> > Due to the security policies in our company, we were asked to use 3rd >> party >> > signed certs. Since we'll require to manage 100's of individual certs, >> we >> > wanted to know if there is a work around with a generic keystore and >> > truststore. >> >> Can you explain what you mean by "generic keystore"? Are you looking >> to create keystores signed by a self-signed root CA (distributed via a >> truststore)? >> >> -- >> Eric Evans >> john.eric.ev...@gmail.com >> > >