Creating a Certificate Signing Request (CSR) and Key/Certificate Pair
Use the following steps to create a Certificate Signing Request (CSR) to submit to your CA. Then, create a private key/certificate pair that can be used to authenticate incoming communication requests to Cloudera Data Science Workbench.
cdsw.cnffile and populate it with the required configuration parameters including the SAN field values.
Copy and paste the default
Modify the following sections and save the
[ CA_default ] default_md = sha256 # Update this [ req ] default_bits = 2048 # Update this req_extensions = req_ext # Add this line [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] # Add this section subjectAltName = @alt_names [alt_names] # Add this section DNS.1 = *.cdsw.company.com # This should be your CDSW wildcard domain DNS.2 = cdsw.company.comKey points to note:
- The domains set in the
DNS.2entries above must match the
default_mdparameter must be set to
sha256at a minimum. Older hash functions such as SHA1 are deprecated and will be rejected by browsers, either currently or in the very near future.
commonName(CN) parameter will be ignored by browsers. You must use Subject Alternative Names.
- The domains set in the
Run the following command to generate the CSR. Fill in the prompts with the relevant
information. Do not set a challenge password.
openssl req -out cert.csr -newkey rsa:2048 -nodes -keyout private.key -config cdsw.cnfThis command generates the private key and the CSR in one step. The
-nodesswitch disables encryption of the private key (which is not supported by Cloudera Data Science Workbench at this time).
Use the CSR and private key generated in the previous step to request a certificate
from the CA. If you have access to your organization's internal CA or PKI, use the
following command to request the certificate. If you do not have access, or are using a
third-party/commercial CA, use your organization's respective internal process to submit
openssl x509 -req -days 365 -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out <your_tls_cert>.crt -sha256 -extfile cdsw.cnf -extensions req_ext
Run the following command to verify that the certificate issued by the CA lists both
the required domains,
X509v3 Subject Alternative Name.
openssl x509 -in <your_tls_cert>.crt -noout -textYou should also verify that a valid hash function is being used to create the certificate. For SHA-256, the value under Signature Algorithm will be
sha256WithRSAEncryption.Optional: For POC purposes, you may wish to use a self-signed certificate without a certificate authority. This can be achieved by using the following commands in Step 5:
# Generate a key: openssl genrsa -out cert.key 2048 # Self sign your cert: openssl x509 -req -days 3650 -in cert.csr -CAcreateserial -out mycert.crt -sha256 -extfile openssl.cnf -extensions req_ext -signkey cert.key