Create your own CA certificate.

openssl req -new -x509 -keyout ca.key -out ca.crt -days 365

Import CA certificate into the truststore.

# keytool -keystore /<path>/truststore.jks -alias CARoot -import -file ca.crt -storepass bigdata

Check truststore.

# keytool -keystore /<path>/truststore.jks -list
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

caroot, Feb 22, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): AD:EE:A5:BC:A8:FA:61:2F:4D:B3:53:3D:29:23:58:AB:2E:B1:82:AF

You should see trustedCertEntry for CA.

Generate certificate for AMS Collector and store private key in keystore.

#  keytool -genkey -alias c6401.ambari.apache.org -keyalg RSA -keysize 1024 -dname "CN=c6401.ambari.apache.org,OU=IT,O=Apache,L=US,ST=US,C=US" -keypass bigdata -keystore /<path>/keystore.jks -storepass bigdata

	Note
	If you use an alias different than the default hostname (c6401.ambari.apache.org), then, in step 12, set the ssl.client.truststore.alias config to use that alias.

Create certificate request for AMS collector certificate.

keytool -keystore /<path>/keystore.jks -alias c6401.ambari.apache.org -certreq -file c6401.ambari.apache.org.csr -storepass bigdata

Sign the certificate request with the CA certificate.

openssl x509 -req -CA ca.crt -CAkey ca.key -in c6401.ambari.apache.org.csr -out c6401.ambari.apache.org_signed.crt -days 365 -CAcreateserial -passin pass:bigdata

Import CA certificate into the keystore.

keytool -keystore /<path>/keystore.jks -alias CARoot -import -file ca.crt -storepass bigdata

Import signed certificate into the keystore.

keytool -keystore /<path>/keystore.jks -alias c6401.ambari.apache.org -import -file c6401.ambari.apache.org_signed.crt -storepass bigdata

Check keystore.

caroot2, Feb 22, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 7C:B7:0C:27:8E:0D:31:E7:BE:F8:BE:A1:A4:1E:81:22:FC:E5:37:D7
[root@c6401 tmp]# keytool -keystore /tmp/keystore.jks -list
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

caroot, Feb 22, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): AD:EE:A5:BC:A8:FA:61:2F:4D:B3:53:3D:29:23:58:AB:2E:B1:82:AF
c6401.ambari.apache.org, Feb 22, 2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): A2:F9:BE:56:7A:7A:8B:4C:5E:A6:63:60:B7:70:50:43:34:14:EE:AF

You should see PrivateKeyEntry for the ams collector hostname entry and trustedCertEntry for CA.

Copy /<path>/truststore.jks to all nodes to /<path>/truststore.jks and set appropriate access permissions.

Copy /<path>/keystore.jks to AMS collector node ONLY to /<path>/keystore.jks and set appropriate access permissions. Recommended: set owner to ams user and access permnissions to 400.

In Ambari Web, update AMS configs, setams-site/timeline.metrics.service.http.policy=HTTPS_ONLY.

Restart services with stale configs.

Configure Ambari server to use truststore.

# ambari-server setup-security
Using python  /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options: 
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)? 
TrustStore type [jks/jceks/pkcs12] (jks):jks
Path to TrustStore file :/<path>/keystore.jks
Password for TrustStore:
Re-enter password: 
Ambari Server 'setup-security' completed successfully.

Configure ambari server to use https instead of http in requests to AMS Collector by adding "server.timeline.metrics.https.enabled=true" to ambari.properties file.

# echo "server.timeline.metrics.https.enabled=true" >> /etc/ambari-server/conf/ambari.properties

Restart ambari server.