Cloudera Docs

Generate client certificates for TLS Mutual Authentication

Learn how to generate and configure client certificates for TLS Mutual Authentication.

  1. Generate a private key for the SSL client: 
    openssl genrsa -out client.key 4096
  2. Create a certificate signing request (CSR) using the client's private key: 
    openssl req -new -key client.key -out client.req
  3. If you have access to a Certificate Authority (CA) private key (-CAkey), you can sign the certificate using OpenSSL: 
    openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial [***CERTIFICATE SERIAL NUMBER***] -extensions client -days 365 -outform PEM -out client.cer
  4. Convert the client certificate and private key to PKCS #12 format (.p12) for browser compatibility: 
    openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
  5. Import the CA certificate that signed the client certificate into the Java KeyStore (JKS) file located at gateway.truststore.path.
  6. Restart Knox to apply the updated configuration.
  7. Verify the certificates using OpenSSL: 
    openssl s_client -connect [***HOSTNAME***]:[***PORT NUMBER***] -CAfile [***PATH TO CA CERTIFICATE***] -cert client.cer -key client.key -debug
    Check the output for any errors. Note that a successful connection does not guarantee successful authentication.
  8. Optionally, test the certificates with a curl command to the Knox gateway (using AutoTLS CA certificates): 
    curl https://[***HOSTNAME***]:[***PORT NUMBER***]/gateway/homepage/home --cacert /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_cacerts.pem --cert ./client.cer --key ./client.key