TLS certificate requirements and recommendations
If you choose to manually configure TLS, then you must use your own certificates. The certificates must meet the requirements listed here.
- The KeyStore must contain only one PrivateKeyEntry. Using multiple private keys in one KeyStore is not supported.
- The KeyStore password and key/certificate password must be the same or no password should be set on the certificate.
- The unique KeyStores used on each cluster node must use the same KeyStore password and key/certificate password. Ambari and Cloudera Manager do not support defining unique passwords per host.
- The X509v3 ExtendedKeyUsages section of the certificate must
have the following attributes:
This attribute is for TLS web client authentication.
This attribute is for TLS web server authentication.
- The signature algorithm used for the certificate must be
- The certificates must not use wildcards. Each cluster node must have its own certificate.
- Subject Alternate Names (SANs) are mandatory and should at least include the FQDN of the host.
- Additional names for the certificate/host can be added to the certificate as SANs.
- Add the FQDN used for the CN as a DNS SAN entry.
- If you are planning to use a load balancer, include the FQDN for the load balancer as a DNS SAN entry.
- The X509v3 KeyUsage section of the certificate must include the
- Use certificates that are signed by a CA. Do not issue self-signed certificates.
- Generate a unique certificate per host.