Obtain a Certificate from a Trusted Third-Party Certification Authority (CA)
A third-party Certification Authority (CA) accepts certificate requests from entities, authenticates applications, issues certificates, and maintains status information about certificates. Associated cryptography guarantees that a signed certificate is computationally difficult to forge. Thus, as long as the CA is a genuine and trusted authority, clients have high assurance that they are connecting to the machines that they are attempting to connect with.
To obtain a certificate signed by a third-party CA, generate and submit a Certificate Signing Request (CSR) for each cluster node:
From the service user account associated with the component (such as
hive
,hbase
,oozie
, orhdfs
, shown below as<service_user>
), generate the host key:su -l <service_user> -C "keytool -keystore <client-keystore> -genkey -alias <host>"
At the prompts, enter the information required by the CSR.
Note Request generation information and requirements vary depending on the certificate authority. Check with your CA for details.
Example using default keystore
keystore.jks
:su -l hdfs -c "keytool -keystore keystore.jks -genkey -alias n3" Enter keystore password: ******** What is your first and last name? [Unknown]: hortonworks.com What is the name of your organizational unit? [Unknown]: Development What is the name of your organization? [Unknown]: Hortonworks What is the name of your City or Locality? [Unknown]: SantaClara What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is <CN=hortonworks.com, OU=Development, O=Hortonworks, L=SantaClara, ST=CA, C=US correct? [no]: yes Enter key password for <host> (RETURN if same as keystore password):
By default,
keystore
uses JKS format for the keystore and truststore. The keystore file is created in the user's home directory. Access to the keystore requires the password and alias.Verify that the key was generated; for example:
su -l hdfs -c "keytool -list -v -keystore keystore.jks"
Create the CSR file:
su -l hdfs -c "keytool -keystore <keystorename> -certreq -alias <host> -keyalg rsa -file <host>.csr"
This command generates a certificate signing request that can be sent to a CA. The file
<host>.csr
contains the CSR.The CSR is created in the user's home directory.
Confirm that the
keystore.jks
and<host>.csr
files exist by running the following command and making sure that the files are listed in the output:su -l hdfs -c "ls ~/"
Submit the CSR to your Certificate Authority.
To import and install keys and certificates, follow the instructions sent to you by the CA.