How to Add Root and Intermediate CAs to Truststore for TLS/SSL
If a signed certificate is from a certificate authority (CA) that does not have certificates in the truststore (internal CA or a public CA not included in the Java truststore, for example), you must explicitly establish trust for the CA.
The content of the truststore for the Cloudera Manager Server cluster can be modified (certificates added, for example) without restarting the server. Changes to the truststore are adopted by the system within 10 seconds.
Explicit Trust for Certificates
Copy the root and intermediate CA certificates to these locations on the Cloudera
Manager Server host:
For concatenated files containing root CA and intermediate CA certificates, split
the file between the
BEGIN CERTIFICATEboundaries that separate each certificate in the file and make individual files instead.
When extracting multiple intermediate CA certificates from a concatenated file,
use unique file names such as
intca-1.cert.pem, and so on.
- For concatenated files containing root CA and intermediate CA certificates, split the file between the
Import the root CA certificate into the JDK truststore. If you do not have the
$JAVA_HOMEvariable set, replace it with the path to the Oracle JDK.
The default password for the
$ sudo keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts \ -file /opt/cloudera/security/pki/rootca.cert.pem -storepass changeit
changeit(as shown in the above command). Cloudera recommends changing this password by running the keytool command:
keytool -storepasswd -keystore $JAVA_HOME/jre/lib/security/cacerts
jssecacertsfile from the Cloudera Manager Server host to all other cluster hosts. Copy the file to the same location on each host using the path required by Oracle JDK, which is as follows:
On the Cloudera Manager Server host, append the intermediate CA certificate to the
signed server certificate. Be sure to use the append (
>>) operator—not overwrite (
>)—when executing the statement:
$ sudo cat /opt/cloudera/security/pki/intca.cert.pem >> \ /opt/cloudera/security/pki/$(hostname -f)-server.cert.pem