Generating a Certificate Authority
How to generate a certificate authority (CA) when enabling SSL for Accumulo.
The certificate authority (CA) controls what certificates can be used to authenticate with each other. To create a secure connection with two certificates, each certificate must be signed by a certificate authority in the "truststore" (A Java KeyStore which contains at least one Certificate Authority's public key). When creating your own certificate authority, a single CA is typically sufficient (and would result in a single public key in the truststore). Alternatively, a third party can also act as a certificate authority (to add an additional layer of security); however, these are typically not a free service.
The following is an example of creating a certificate authority and adding its public key to a Java KeyStore to provide to Accumulo.
# Create a private key
openssl genrsa -des3 -out root.key 4096
# Create a certificate request using the private key
openssl req -x509 -new -key root.key -days 365 -out root.pem
# Generate a Base64-encoded version of the PEM just created
openssl x509 -outform der -in root.pem -out root.der
# Import the key into a Java KeyStore
keytool -import -alias root-key -keystore truststore.jks -file root.der
# Remove the DER formatted key file (as we don't need it anymore)
rm root.der
Remember to protect root.key
and never distribute it, as the
private key is the basis for your circle of trust. The keytool command will
prompt you about whether or not the certificate should be trusted: enter "yes".
The truststore.jks file, a "truststore", is meant to be shared with all parties
communicating with one another. The password provided to the truststore verifies
that the contents of the truststore have not been tampered with.