Configuring Wire Encryption
Also available as:
PDF
loading table of contents...

Generating a Certificate Keystore Per Host

How to generate a certificate keystore per host when enabling SSL for Accumulo.

It is desirable to generate a certificate for each host in the system. Additionally, each client connecting to the Accumulo instance running with SSL should be issued its own certificate. Issuing individual certificates to each entity provides proper control to revoke/reissue certificates to clients as necessary, without widespread interruption.

The following commands create a private key for the server, generate a certificate signing request created from that private key, use the certificate authority to generate the certificate using the signing request. and then create a Java KeyStore with the certificate and the private key for our server.

# Create the private key for our server 
openssl genrsa -out server.key 4096 

# Generate a certificate signing request (CSR) with our private key 
openssl req -new -key server.key -out server.csr 

# Use the CSR and the CA to create a certificate for the server (a reply to the CSR) 
openssl x509 -req -in server.csr -CA root.pem -CAkey root.key -CAcreateserial -out server.crt -days 365

# Use the certificate and the private key for our server to create PKCS12 file 
openssl pkcs12 -export -in server.crt -inkey server.key -certfile server.crt -name 'server-key' -out server.p12

# Create a Java KeyStore for the server using the PKCS12 file (private key) 
keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -destkeystore server.jks -deststoretype JKS

# Remove the PKCS12 file as we don't need it 
rm server.p12 

# Import the CA-signed certificate to the keystore 
keytool -import -trustcacerts -alias server-crt -file server.crt -keystore server.jks

This, combined with the truststore, provides what is needed to configure Accumulo servers to run over SSL. The private key (server.key), the certificate signed by the CA (server.pem), and the keystore (server.jks) should be restricted to only be accessed by the user running Accumulo on the host it was generated for. Use chown and chmod to protect the files, and do not distribute them over non-secure networks.