OpenSSL allows you sign certificates. Considerations for internally signed certificates include:
The encryption algorithms may be less secure than a well-known, trusted third-party
Unknown CAs require that certificate to be installed in the corresponding client truststores
![[Note]](../common/images/admon/note.png)
Note When accessing the service from a client application such as HiveCLI, cURL, etc, the CA must resolve on the client side or the connection attempt may fail. Users accessing the service through a browser will be able to add an exception if the certificate cannot be verified in their local truststore.
To install OpenSSL and set up an internal CA:
Install OpenSSL, for example on CentOS run:
yum install openssl
Generate a CA signing key and certificate:
openssl genrsa -out ca.key 8192; openssl req -new -x509 -extensions v3_ca -key ca.key -out ca.crt -days 365
Set up the CA directory structure:
mkdir -m 0700 /root/CA /root/CA/certs /root/CA/crl /root/CA/newcerts /root/CA/private
Move the CA key to
/root/CA/privateand the CA certificate to/root/CA/certs.mv ca.key /root/CA/private;mv ca.crt /root/CA/certs
Add required files:
touch /root/CA/index.txt; echo 1000 >> /root/CA/serial
Set permissions on the
ca.key:chmod 0400 /root/ca/private/ca.key
Open the OpenSSL configuration file:
vi /etc/pki/tls/openssl.cnf
Change the directory paths to match your environment:
[ CA_default ] dir = /root/CA # Where everything is kept certs = /root/CA/certs # Where the issued certs are kept crl_dir = /root/CA/crl # Where the issued crl are kept database = /root/CA/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = /root/CA/newcerts # default place for new certs. certificate = /root/CA/cacert.pem # The CA certificate serial = /root/CA/serial # The current serial number crlnumber = /root/CA/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = /root/CA/private/cakey.pem # The private key RANDFILE = /root/CA/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the certSave the changes and restart OpenSSL:
Example of setting up OpenSSL internal CA:
openssl genrsa -out ca.key 8192; openssl req -new -x509 -extensions v3_ca -key ca.key -out ca.crt -days 365 Generating RSA private key, 8192 bit long modulus .......................................................................................++ ......................++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Palo Alto Organization Name (eg, company) [Default Company Ltd]:Hortonworks Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:nn Email Address []:it@hortonworks.com mkdir -m 0700 /root/CA /root/CA/certs /root/CA/crl /root/CA/newcerts /root/CA/private ls /root/CA certs crl newcerts private
