Obtain a Certificate from a Trusted Third Party Certification Authority CA
To obtain a certificate signed by a third-party CA, generate and submit a Certificate Signing Request (CSR) for each cluster node.
From the service user account associated with the component (such as hive, hbase,
oozie, or hdfs, shown below as <service_user>), generate the host key:
su -l <service_user> -C "keytool -keystore <client-keystore> -genkey -alias <host>".
- At the prompts, enter the information required by the CSR.
Example using default keystoreNote
Request generation information and requirements vary depending on the certificate authority. Check with your CA for details.
su -l hdfs -c "keytool -keystore keystore.jks -genkey -alias n3" Enter keystore password: ******** What is your first and last name? [Unknown]: hortonworks.com What is the name of your organizational unit? [Unknown]: Development What is the name of your organization? [Unknown]: Hortonworks What is the name of your City or Locality? [Unknown]: SantaClara What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is <CN=hortonworks.com, OU=Development, O=Hortonworks, L=SantaClara, ST=CA, C=US correct? [no]: yes Enter key password for <host> (RETURN if same as keystore password):
keystoreuses JKS format for the keystore and truststore. The keystore file is created in the user's home directory. Access to the keystore requires the password and alias.
- Verify that the key was generated; for example:
su -l hdfs -c "keytool -list -v -keystore keystore.jks".
- Create the CSR file:
su -l hdfs -c "keytool -keystore <keystorename> -certreq -alias <host> -keyalg rsa -file <host>.csr".
This command generates a certificate signing request that can be sent to a CA. The file
<host>.csrcontains the CSR.
The CSR is created in the user's home directory.
Confirm that the
<host>.csrfiles exist by running the following command and making sure that the files are listed in the output:
su -l hdfs -c "ls ~/".
- Submit the CSR to your Certificate Authority.
- To import and install keys and certificates, follow the instructions sent to you by the CA.