Managing Clusters
Also available as:

Add SSL certificate for Knox Gateway

When Knox-powered Gateway is enabled, use these steps if you would like to add an SSL certificate for Ambari and/or other cluster UIs exposed through the Gateway.


  1. Obtain a trusted SSL certificate.
  2. If needed, perform the following to make sure that your certificate is compatible with the Gateway:
    • If the certificate is not already in p12 format, export the certificate into p12 format. For example:
      openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name gateway-identity -password pass:$mastersecret
    • Ensure that the certificate alias is “gateway-identity”.
    • Ensure that the store password matches the master secret created earlier. You can obtain the master secret of the Knox by using the following command:
      cat /srv/pillar/gateway/init.sls | grep mastersecret
    • Note the key password used – as you need to create an alias for this password.
  3. Access the cluster's master node via ssh.
  4. Obtain root access by using sudo su.
  5. Use keytool to import the desired certificate/key pair into the java keystore that Knox is using.
    You can find the java keystore the following path:

    Example command for importing your certificate into the jks:

    keytool -importkeystore -deststorepass $mastersecret -destkeypass $mastersecret -destkeystore gateway.jks -srckeystore /usr/hdp/current/knox-server/data/security/keystores/custom_certs/identity.p12 -srcstoretype PKCS12 -srcstorepass $mastersecret -alias gateway-identity
  6. Restart Knox by using the following command:
    /usr/hdp/current/knox-server/bin/ stop

    This command stops Knox, but systemd automatically restarts it. To validate that it is restarted, use:

    netstat -tlpn | grep 8443

    Here is example output showing that the restart was successful:

    netstat -tlpn | grep 8443
    tcp  0  0*  LISTEN  13177/java
  7. Using your web browser, access the Ambari web UI.
  8. Confirm that the connection is SSL-protected and that the certificate used is the certificate that you provided.