Creating a Certificate Signing Request (CSR) and Key/Certificate Pair
Use the following steps to create a Certificate Signing Request (CSR) to submit to your CA. Then, create a private key/certificate pair that can be used to authenticate incoming communication requests to Cloudera Data Science Workbench.
-
Create a
cdsw.cnf
file and populate it with the required configuration parameters including the SAN field values.vi cdsw.cnf
-
Copy and paste the default
openssl.cnf
from: http://web.mit.edu/crypto/openssl.cnf. -
Modify the following sections and save the
cdsw.cnf
file:[ CA_default ] default_md = sha2 [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = *.cdsw.company.com DNS.2 = cdsw.company.com
Key points to note:- The domains set in the
DNS.1
andDNS.2
entries above must match theDOMAIN
set incdsw.conf
. - The
default_md
parameter must be set tosha256
at a minimum. Older hash functions such as SHA1 are deprecated and will be rejected by browsers, either currently or in the very near future. - The
commonName
(CN) parameter will be ignored by browsers. You must use Subject Alternative Names.
- The domains set in the
-
Run the following command to generate the CSR.
openssl req -out cert.csr -newkey rsa:2048 -nodes -keyout private.key -config cdsw.cnf
This command generates the private key and the CSR in one step. The-nodes
switch disables encryption of the private key (which is not supported by Cloudera Data Science Workbench at this time). -
Use the CSR and private key generated in the previous step to request a certificate
from the CA. If you have access to your organization's internal CA or PKI, use the
following command to request the certificate. If you do not have access, or are using a
third-party/commercial CA, use your organization's respective internal process to submit
the request.
openssl x509 -req -days 365 -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out <your_tls_cert>.crt -sha256 -extfile cdsw.cnf -extensions req_ext
-
Run the following command to verify that the certificate issued by the CA lists both
the required domains,
cdsw.company.com
and*.cdsw.company.com
, underX509v3 Subject Alternative Name
.openssl x509 -in <your_tls_cert>.crt -noout -text
You should also verify that a valid hash function is being used to create the certificate. For SHA-256, the value under Signature Algorithm will besha256WithRSAEncryption
.