Obtain a Certificate from a Trusted Third Party Certification Authority CA
To obtain a certificate signed by a third-party CA, generate and submit a Certificate Signing Request (CSR) for each cluster node.
To obtain a certificate signed by a third-party CA, generate and submit a Certificate Signing Request (CSR) for each cluster node.
su -l <service_user> -C "keytool -keystore <client-keystore>
-genkey -alias <host>"
.
Note | |
---|---|
Request generation information and requirements vary depending on the certificate authority. Check with your CA for details. |
keystore.jks
:su -l hdfs -c "keytool -keystore keystore.jks -genkey -alias n3"
Enter keystore password: ********
What is your first and last name?
[Unknown]: hortonworks.com
What is the name of your organizational unit?
[Unknown]: Development
What is the name of your organization?
[Unknown]: Hortonworks
What is the name of your City or Locality?
[Unknown]: SantaClara
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=hortonworks.com, OU=Development, O=Hortonworks, L=SantaClara, ST=CA,
C=US correct?
[no]: yes
Enter key password for <host>
(RETURN if same as keystore password):
By
default, keystore
uses JKS format for the keystore and
truststore. The keystore file is created in the user's home directory. Access to
the keystore requires the password and alias.
su -l hdfs -c "keytool -list -v
-keystore keystore.jks"
.su -l hdfs -c "keytool -keystore <keystorename> -certreq
-alias <host> -keyalg rsa -file <host>.csr"
.
This command generates a certificate signing request that can be sent to a CA. The
file <host>.csr
contains the CSR.
The CSR is created in the user's home directory.
keystore.jks
and
<host>.csr
files exist by running the following command and
making sure that the files are listed in the output: su -l hdfs -c "ls
~/"
.