TLS certificate requirements and recommendations

If you choose to manually configure TLS, then you must use your own certificates. The certificates must meet the requirements listed here.

Certificate requirements

Ensure that the following minimum requirements are satisfied:
  • The KeyStore must contain only one PrivateKeyEntry. Using multiple private keys in one KeyStore is not supported.
  • The KeyStore password and key/certificate password must be the same or no password should be set on the certificate.
  • The unique KeyStores used on each cluster node must use the same KeyStore password and key/certificate password. Ambari and Cloudera Manager do not support defining unique passwords per host.
  • The X509v3 ExtendedKeyUsages section of the certificate must have the following attributes:
    • clientAuth

      This attribute is for TLS web client authentication.

    • serverAuth

      This attribute is for TLS web server authentication.

  • The signature algorithm used for the certificate must be sha256WithRSAEncryption (SHA-256).
  • The certificates must not use wildcards. Each cluster node must have its own certificate.
  • Subject Alternate Names (SANs) are mandatory and should at least include the FQDN of the host.
  • Additional names for the certificate/host can be added to the certificate as SANs.
    • Add the FQDN used for the CN as a DNS SAN entry.
    • If you are planning to use a load balancer, include the FQDN for the load balancer as a DNS SAN entry.
  • The X509v3 KeyUsage section of the certificate must include the following attributes:
    • DigitalSignature
    • Key_Encipherment

Cloudera recommendations

Cloudera recommends the following security protocols:
  • Use certificates that are signed by a CA. Do not issue self-signed certificates.
  • Generate a unique certificate per host.