TLS key and certificate examples

Prerequisites

You need a Root Certificate Authority (CA) to sign the generated certificates. If you do not have one, it can be generated. Cloudera does not recommend using self-signed certificates for production environments.

openssl genrsa -out root.key
openssl req -new -x509 -key root.key -out root.crt

Example 1 - Generating EFM certificates with one private key entry

Use the following commands to generate a keystore and a truststore for EFM with a single private key entry. Use a secure password and change the dname and the SAN entry of the certificate to match your specific use case.

keytool -keystore efm_keystore.pkcs12 -keypass changeIt -storepass changeIt -alias server -validity 365 -genkey -keyalg RSA -ext SAN=dns:node1.example.com -dname "CN=node1"

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias server -certreq -file server.unsigned.crt -ext SAN=dns:node1.example.com
openssl x509 -req -CA root.crt -CAkey root.key -in server.unsigned.crt -out server.signed.crt -days 365 -CAcreateserial -copy_extensions copyall

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias CARoot -import -file root.crt

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias server -import -file server.signed.crt

keytool -keystore efm_truststore.pkcs12 -keypass changeIt -storepass changeIt -alias CARoot -import -file root.crt

Example 2 - Generating EFM certificates with two private key entries

Use the following commands to generate a keystore and a truststore for EFM with multiple private key entries: one for the EFM - WEB communication (server) and one for EFM internal communication (service). Use a secure password and change the dname and the SAN entry of the certificate to match your specific use case.

keytool -keystore efm_keystore.pkcs12 -keypass changeIt -storepass changeIt -alias server -validity 365 -genkey -keyalg RSA -ext SAN=dns:node1.example.com -dname "CN=node1"

keytool -keystore efm_keystore.pkcs12 -keypass changeIt -storepass changeIt -alias service -validity 365 -genkey -keyalg RSA -dname "CN=service"

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias server -certreq -file server.unsigned.crt -ext SAN=dns:node1.example.com
openssl x509 -req -CA root.crt -CAkey root.key -in server.unsigned.crt -out server.signed.crt -days 365 -CAcreateserial -copy_extensions copyall

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias service -certreq -file service.unsigned.crt
openssl x509 -req -CA root.crt -CAkey root.key -in service.unsigned.crt -out service.signed.crt -days 365 -CAcreateserial -copy_extensions copyall

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias CARoot -import -file root.crt

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias server -import -file server.signed.crt

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias service -import -file service.signed.crt

keytool -keystore efm_truststore.pkcs12 -keypass changeIt -storepass test1234 -alias CARoot -import -file root.crt

Example 3 - Generating agent certificates

Use the following commands to generate a keystore and a truststore for agents with a single private key entry. Use a secure password and change the dname and the SAN entry of the certificate to match your specific use case.

keytool -keystore agent_keystore.pkcs12 -keypass changeIt -storepass changeIt -alias agent -validity 365 -genkey -keyalg RSA -ext SAN=dns:agent.example.com -dname "CN=agent"

keytool -keystore agent_keystore.pkcs12 -storepass changeIt -alias agent -certreq -file agent.unsigned.cert -ext SAN=dns:agent.example.com 
openssl x509 -req -CA root.crt -CAkey root.key -in agent.unsigned.cert -out agent.signed.cert -days 365 -CAcreateserial -copy_extensions copyall

keytool -keystore agent_keystore.pkcs12 -storepass changeIt -alias CARoot -import -file root.crt

keytool -keystore agent_keystore.pkcs12 -storepass changeIt -alias agent -import -file agent.signed.cert

keytool -keystore agent_truststore.pkcs12 -keypass changeIt -storepass test1234 -alias CARoot -import -file root.crt