Creating a Certificate Signing Request (CSR) and Key/Certificate Pair
Use the following steps to create a Certificate Signing Request (CSR) to submit to your CA. Then, create a private key/certificate pair that can be used to authenticate incoming communication requests to Cloudera Data Science Workbench.
-
Create a
cdsw.cnf
file and populate it with the required configuration parameters including the SAN field values.vi cdsw.cnf
-
Copy and paste the default
openssl.cnf
from: http://web.mit.edu/crypto/openssl.cnf. -
Modify the following sections and save the
cdsw.cnf
file:[ CA_default ] default_md = sha256 # Update this [ req ] default_bits = 2048 # Update this req_extensions = req_ext # Add this line [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] # Add this section subjectAltName = @alt_names [alt_names] # Add this section DNS.1 = *.cdsw.company.com # This should be your CDSW wildcard domain DNS.2 = cdsw.company.com
Key points to note:- The domains set in the
DNS.1
andDNS.2
entries above must match theDOMAIN
set incdsw.conf
. - The
default_md
parameter must be set tosha256
at a minimum. Older hash functions such as SHA1 are deprecated and will be rejected by browsers, either currently or in the very near future. - The
commonName
(CN) parameter will be ignored by browsers. You must use Subject Alternative Names.
- The domains set in the
-
Run the following command to generate the CSR. Fill in the prompts with the relevant
information. Do not set a challenge password.
openssl req -out cert.csr -newkey rsa:2048 -nodes -keyout private.key -config cdsw.cnf
This command generates the private key and the CSR in one step. The-nodes
switch disables encryption of the private key (which is not supported by Cloudera Data Science Workbench at this time). -
Use the CSR and private key generated in the previous step to request a certificate
from the CA. If you have access to your organization's internal CA or PKI, use the
following command to request the certificate. If you do not have access, or are using a
third-party/commercial CA, use your organization's respective internal process to submit
the request.
openssl x509 -req -days 365 -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out <your_tls_cert>.crt -sha256 -extfile cdsw.cnf -extensions req_ext
-
Run the following command to verify that the certificate issued by the CA lists both
the required domains,
cdsw.company.com
and*.cdsw.company.com
, underX509v3 Subject Alternative Name
.openssl x509 -in <your_tls_cert>.crt -noout -text
You should also verify that a valid hash function is being used to create the certificate. For SHA-256, the value under Signature Algorithm will besha256WithRSAEncryption
.Optional: For POC purposes, you may wish to use a self-signed certificate without a certificate authority. This can be achieved by using the following commands in Step 5:# Generate a key: openssl genrsa -out cert.key 2048 # Self sign your cert: openssl x509 -req -days 3650 -in cert.csr -CAcreateserial -out mycert.crt -sha256 -extfile openssl.cnf -extensions req_ext -signkey cert.key