Using a CA-Signed Certificate
To use a CA-signed certificate:
Run the following command to create a self-signing rootCA and import the rootCA into the client truststore. This is a private key; it should be kept private. The following command creates a 2048-bit key:
openssl genrsa -out <clusterCA>.key 2048
Self-sign the rootCA. The following command signs for 300 days. It will start an interactive script that requests name and location information.
openssl req -x509 -new -key <clusterCA>.key -days 300 -out <clusterCA>
Import the rootCA into the client truststore:
keytool -importcert -alias <clusterCA> -file $clusterCA -keystore <clustertruststore> -storepass <clustertruststorekey>
Note Make sure that the
ssl-client.xml
file on every host is configured to use this$clustertrust
store.When configuring with Hive point to this file; when configuring other services install the certificate in the Java truststore.
For each host, sign the certreq file with the rootCA:
openssl x509 -req -CA $clusterCA.pem -CAkey <clusterCA>.key -in <host>.cert -out $host.signed -days 300 -CAcreateserial
On each host, import the rootCA and the signed cert back in:
keytool -keystore <hostkeystore> -storepass <hoststorekey> -alias <clusterCA> -import -file cluster1CA.pem keytool -keystore <hostkeystore> -storepass <hoststorekey> -alias `hostname -s` -import -file <host>.signed -keypass <hostkey>