Server certificates are stored in Java KeyStore (JKS) format and must be converted to
Privacy Enhanced Mail (PEM) format. You must create a PEM file before configuring Hue as a
TLS/SSL client or a TLS/SSL server.
To create the Hue truststore, extract each certificate from its keystore with the Java
keytool
, convert the certificate to PEM format with the OpenSSL.org
openssl
tool, and then add it to the Hue truststore:
-
Extract the certificate from the keystore of each TLS/SSL-enabled server with
which Hue communicates. For example, if you have
hadoop-server.keystore
that contains a server certificate,
foo-1.example.com
with a password of
example123
, you would use the following keytool
command:
keytool -exportcert -keystore hadoop-server.keystore -alias foo-1.example.com -storepass example123 -file foo-1.cert
-
Convert each certificate into a PEM file. Here is what the
openssl
tool command looks like for the foo-1.cert
file that was extracted in
Step 1:
openssl x509 -inform der -in foo-1.cert > foo-1.pem
-
Concatenate all the PEM certificates you extracted and converted from the server
truststore into one PEM file:
cat foo-1.pem foo-2.pem foo-n.pem ... > hue_truststore.pem
Concatenate the certificate files in the following order: SSL certificate followed by
intermediate certificate, followed by the root CA certificate.