Cloudera Docs

TLS key and certificate examples

Review the following examples to understand how to implement Transport Layer Security (TLS) encryption in Cloudera Edge Management.

Prerequisites

You need a Root Certificate Authority (CA) to sign the generated certificates. If you do not have one, it can be generated. Cloudera does not recommend using self-signed certificates for production environments.

openssl genrsa -out root.key
openssl req -new -x509 -key root.key -out root.crt

Example 1 - Generating Edge Flow Manager certificates with one private key entry

Use the following commands to generate a keystore and a truststore for Edge Flow Manager with a single private key entry. Use a secure password and change the dname and the SAN entry of the certificate to match your specific use case.

keytool -keystore efm_keystore.pkcs12 -keypass changeIt -storepass changeIt -alias server -validity 365 -genkey -keyalg RSA -ext SAN=dns:node1.example.com -dname "CN=node1"
keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias server -certreq -file server.unsigned.crt -ext SAN=dns:node1.example.com
openssl x509 -req -CA root.crt -CAkey root.key -in server.unsigned.crt -out server.signed.crt -days 365 -CAcreateserial -copy_extensions copyall
keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias CARoot -import -file root.crt

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias server -import -file server.signed.crt
keytool -keystore efm_truststore.pkcs12 -keypass changeIt -storepass changeIt -alias CARoot -import -file root.crt

Example 2 - Generating Edge Flow Manager certificates with two private key entries

Use the following commands to generate a keystore and a truststore for Edge Flow Manager with multiple private key entries: one for the Edge Flow Manager - WEB communication (server) and one for Edge Flow Manager internal communication (service). Use a secure password and change the dname and the SAN entry of the certificate to match your specific use case.

keytool -keystore efm_keystore.pkcs12 -keypass changeIt -storepass changeIt -alias server -validity 365 -genkey -keyalg RSA -ext SAN=dns:node1.example.com -dname "CN=node1"

keytool -keystore efm_keystore.pkcs12 -keypass changeIt -storepass changeIt -alias service -validity 365 -genkey -keyalg RSA -dname "CN=service"
keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias server -certreq -file server.unsigned.crt -ext SAN=dns:node1.example.com
openssl x509 -req -CA root.crt -CAkey root.key -in server.unsigned.crt -out server.signed.crt -days 365 -CAcreateserial -copy_extensions copyall

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias service -certreq -file service.unsigned.crt
openssl x509 -req -CA root.crt -CAkey root.key -in service.unsigned.crt -out service.signed.crt -days 365 -CAcreateserial -copy_extensions copyall
keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias CARoot -import -file root.crt

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias server -import -file server.signed.crt

keytool -keystore efm_keystore.pkcs12 -storepass changeIt -alias service -import -file service.signed.crt
keytool -keystore efm_truststore.pkcs12 -keypass changeIt -storepass test1234 -alias CARoot -import -file root.crt

Example 3 - Generating agent certificates

Use the following commands to generate a keystore and a truststore for agents with a single private key entry. Use a secure password and change the dname and the SAN entry of the certificate to match your specific use case.

keytool -keystore agent_keystore.pkcs12 -keypass changeIt -storepass changeIt -alias agent -validity 365 -genkey -keyalg RSA -ext SAN=dns:agent.example.com -dname "CN=agent"
keytool -keystore agent_keystore.pkcs12 -storepass changeIt -alias agent -certreq -file agent.unsigned.cert -ext SAN=dns:agent.example.com 
openssl x509 -req -CA root.crt -CAkey root.key -in agent.unsigned.cert -out agent.signed.cert -days 365 -CAcreateserial -copy_extensions copyall
keytool -keystore agent_keystore.pkcs12 -storepass changeIt -alias CARoot -import -file root.crt

keytool -keystore agent_keystore.pkcs12 -storepass changeIt -alias agent -import -file agent.signed.cert
keytool -keystore agent_truststore.pkcs12 -keypass changeIt -storepass test1234 -alias CARoot -import -file root.crt