Run the following command to create a self-signing rootCA and import the rootCA into the client truststore. This is a private key; it should be kept private. The following command creates a 2048-bit key:

openssl genrsa -out <clusterCA>.key 2048

Self-sign the rootCA. The following command signs for 300 days. It will start an interactive script that requests name and location information.

openssl req -x509 -new -key <clusterCA>.key -days 300 -out <clusterCA>

Import the rootCA into the client truststore:

keytool -importcert -alias <clusterCA> -file $clusterCA -keystore <clustertruststore> -storepass <clustertruststorekey>

	Note
	Make sure that the ssl-client.xml file on every host is configured to use this $clustertrust store. When configuring with Hive point to this file; when configuring other services install the certificate in the Java truststore.

For each host, sign the certreq file with the rootCA:

openssl x509 -req -CA $clusterCA.pem -CAkey <clusterCA>.key -in <host>.cert -out $host.signed -days 300 -CAcreateserial

On each host, import the rootCA and the signed cert back in:

keytool -keystore <hostkeystore> -storepass <hoststorekey> -alias <clusterCA> -import -file cluster1CA.pem
keytool -keystore <hostkeystore> -storepass <hoststorekey> -alias `hostname -s` -import -file <host>.signed -keypass <hostkey>