Encryption setup with openssl 3.2

[youribonnaffe]

The encryption setup from the documentation is relying on OpenSSL CLI to generate self signed certificates. I recently stumbled a specific issue related to the recent release of OpenSSL 3.2.0 that I thought was worth sharing given I wasted many hours on this.

The script to create self-signed certificates using your local installation of OpenSSL. Latest 3.2.0 release includes the following change:

• The x509, ca, and req apps now produce X.509 v3 certificates. The -x509v1 option of req prefers generation of X.509 v1 certificates. X509_sign() and X509_sign_ctx() make sure that the certificate has X.509 version 3 if the certificate information includes X.509 extensions. (https://github.com/openssl/openssl/blob/openssl-3.2.0/CHANGES.md)

This result in the script creating a V3 certificate, that include a Subject Key Identifier identifier section.

By doing so, attempts to use the self-signed certificate for instance with cqlsh will require to bypass certificate validation (SSL_VALIDATE=false) whereas it was not necessary with V1 certificates.

The workaround for me was to change the script to request a V1 certificate (here use -x509v1).

I'm not sure if it is worth updating the documentation but at least this issue might help others.