These scripts streamline the creation of TLS certificates to ensure the security of Cassandra, ElasticSearch, OpenSearch, or NATS instances. They automate the entire process, encompassing the generation of a Root Certificate Authority (CA) certificate, node-specific certificates, and seamless certificate management tasks.
- Ensure you have Administrator privileges to execute the scripts successfully.
- Ensure that the openssl and the keytool executables are available on your system.
Warning
We have noticed issues when using the keytool of a different Java version then the version used by Cassandra/Elastic/OpenSearch. For this reason we highly recommend to use the keytool executable of the Java installation used by Cassandra/Elastic/OpenSearch.
Linux should come with OpenSSL by default. You can verify this by running the following command:
openssl versionKeytool is automatically installed when installing Java, so it should be present on the system if you have Cassandra/ElasticSearch/OpenSearch installed.
We have noticed issues with installing OpenSsl on windows. We found it the easiest to install Git which ships an openssl executable with it. The executable can be found at %programfiles%\git\usr\bin\openssl.exe
Keytool is shipped alongside with Java. ElasticSearchg and Cassandra installations on Windows also ship Java alongside. You can find the keytool executable at: %programfiles%\ElasticOrCassandra\java\bin\keytool.exe
-
Open a terminal.
-
Navigate to the directory containing
generate-tls-certificates.sh. -
Run the following command:
chmod +x generate-tls-certificates.sh
This step ensures execution permissions.
-
Execute the script:
./generate-tls-certificates.sh
-
Open PowerShell as administrator.
-
Navigate to the directory containing
generate-tls-certificates.ps1. -
Execute the script:
.\generate-tls-certificates.ps1
Note
Ensure the necessary executables and prerequisites are in place before running the scripts.
- Organization Type: Choose the instance type for which you want to generate certificates (Cassandra, Elastic, OpenSearch, NATS).
- Cleanup: Option to clean up files generated in previous executions.
- Cluster Information: Enter the name of your cluster and handle non-ASCII characters appropriately.
- Certificate Options: Set the validity period for the certificates.
- Key Size: Choose the certificate key size (1024, 2048, 4096, or 8192 bits).
- Hostnames: Input the hostnames (FQDN) of each node.
- Automatic Hostname Resolution: Option to resolve hostnames automatically instead of manually entering IP addresses.
- Root CA Certificate: Choose to use an existing root certificate or generate a new one.
- Certificate Generation: Automatically generates certificates for each node in the cluster.
- Subject Alternative Names (SANs): Specify additional SANs for each node.
- Password Handling: Option to automatically generate a secure password or manually enter one.
- Public Key Exchange: Add public keys of every node to the keystore of every other node.
- Cleanup Unused Files: Remove unnecessary files generated during the execution.
- Certificates Information: Display information about the generated certificates, keystore files, and passwords.
Important
- Ensure the root CA certificate (rootCA.crt) is trusted on every client. If a password is generated, note it down for future reference.
- Copy the generated keystore files (*-node-keystore.p12) to their respective nodes.
This script is provided under the MIT License.