Server certificates are stored in Java KeyStore (JKS) format and must be converted to
Privacy Enhanced Mail (PEM) format. You must create a PEM file before configuring Hue as a
TLS/SSL client or a TLS/SSL server.
To create the Hue truststore, extract each certificate from its keystore with the Java
keytool, convert the certificate to PEM format with the OpenSSL.org
openssl tool, and then add it to the Hue truststore:
-
Extract the certificate from the keystore of each TLS/SSL-enabled server with
which Hue communicates. For example, if you have
hadoop-server.keystore that contains a server certificate,
foo-1.example.com with a password of
example123, you would use the following keytool
command:
keytool -exportcert -keystore hadoop-server.keystore -alias foo-1.example.com -storepass example123 -file foo-1.cert
-
Convert each certificate into a PEM file. Here is what the
openssl
tool command looks like for the foo-1.cert file that was extracted in
Step 1:
openssl x509 -inform der -in foo-1.cert > foo-1.pem
-
Concatenate all the PEM certificates you extracted and converted from the server
truststore into one PEM file:
cat foo-1.pem foo-2.pem foo-n.pem ... > hue_truststore.pem
Concatenate the certificate files in the following order: SSL certificate followed by
intermediate certificate, followed by the root CA certificate.
