Copy or download the .cert file onto the client machine.

Run the following command (as root) to import the certificate into the JRE keystore. This will allow any Java program, including the Oozie client, to connect to the Oozie Server using the self-signed certificate.

sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts}

Where ${JRE_cacerts} is the path to the JRE .certs file. Its location may differ depending on the operating system, but its typically named cacerts and is located at ${JAVA_HOME}/lib/security/cacerts, but it may be in a different directory under ${JAVA_HOME} (you may want to create a backup copy of this file first). The default password is changeit.

When using the Oozie Client, you must use https://oozie.server.hostname:11443/oozie rather than http://oozie.server.hostname:11000/oozie -- Java will not automatically redirect from the HTTP address to the HTTPS address.