3.2.1. Generate a Certificate Signing Request (Third-party)

To obtain a certificate signed by a third-party CA, generate a certificate signing request for each Hadoop Cluster host node as follows:

	Note
	A certificate signing request is typically not required when signing the certificate using an internal CA.

Using the service user account (shown below as $service_user), such as hive, hbase, oozie, hdfs, etc, generate the host key :

su -l $service_user -C "keytool –keystore keystore.jks –genkey –alias $host"

Enter keystore password:  javacaps
What is your first and last name?
[Unknown]:  name
What is the name of your organizational unit?
[Unknown]:  department
What is the name of your organization?
[Unknown]:  companyname
What is the name of your City or Locality?
[Unknown]:  city
What is the name of your State or Province?
[Unknown]:  state
What is the two-letter country code for this unit?
[Unknown]:  XX
Is <CN=name, OU=department, O=companyname, L=city, ST=state, 
C=XX> correct?
[no]:  yes

Enter key password for <host>
(RETURN if same as keystore password):

The keystore file is created in the user's home directory. Access to the keystore requires the password and alias.

Verify that key was generated:
```
su -l hdfs -c "keytool -list -v -keystore keystore.jks"
```

Create the Certificate Signing Request (CSR).

su -l hdfs -c "keytool –keystore $keystorename –certreq –alias $host –keyalg rsa –file $host.csr"

The CSR is created in the user's home directory.

Verify that the file was created:
```
su -l hdfs -c "ls ~/"
cache  keystore.jks  $host.csr
```
Send the CSR to the CA. Follow the instructions sent to you by the CA to properly install the keys and certificate.
Note
Request generation instructions may vary depending on the third-party CAs, follow the instructions provided by them.

Example for HDFS user creating a signing request on host nn:

su -l hdfs -c "keytool -keystore keystore -genkey -alias nn"
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Hortonworks
What is the name of your organizational unit?
  [Unknown]:  Engineering
What is the name of your organization?
  [Unknown]:  Hortonworks
What is the name of your City or Locality?
  [Unknown]:  Palo Alto
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Hortonworks, OU=Engineering, O=Hortonworks, L=Palo Alto, ST=California, C=US correct?
  [no]:  yes

Enter key password for <nn>
	(RETURN if same as keystore password):

su -l hdfs -c "keytool -list -v -keystore keystore.jks"
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nn
Creation date: Aug 25, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Hortonworks, OU=Engineering, O=Hortonworks, L=Palo Alto, ST=California, C=US
Issuer: CN=Hortonworks, OU=Engineering, O=Hortonworks, L=Palo Alto, ST=California, C=US
Serial number: 53fb6404
Valid from: Mon Aug 25 16:27:48 UTC 2014 until: Sun Nov 23 16:27:48 UTC 2014
Certificate fingerprints:
	 MD5:  58:97:7B:B4:47:0D:2B:97:3D:0D:AA:82:D6:1D:A3:38
	 SHA1: 62:9F:EB:7F:DA:3A:F6:43:58:BF:43:A0:F2:BF:E0:16:A8:B2:D5:A9
	 Signature algorithm name: SHA1withDSA
	 Version: 3


*******************************************

su -l hdfs -c "keytool -keystore keystore.jks -certreq -alias nn -keyalg rsa -file nn.csr"
Enter keystore password:

su -l hdfs -c "ls ~/"
cache  keystore.jks  nn.csr

Legal notices

	Note
	Request generation instructions may vary depending on the third-party CAs, follow the instructions provided by them.