Explicit Trust for Certificates🔗
-
Copy the root and intermediate CA certificates to these locations on the Cloudera
Manager Server host:
/opt/cloudera/security/pki/rootca.cert.pem /opt/cloudera/security/pki/intca.cert.pem
-
For concatenated files containing root CA and intermediate CA certificates, split
the file between the
END CERTIFICATE
andBEGIN CERTIFICATE
boundaries that separate each certificate in the file and make individual files instead. -
When extracting multiple intermediate CA certificates from a concatenated file,
use unique file names such as
intca-1.cert.pem
,intca-1.cert.pem
, and so on.
-
For concatenated files containing root CA and intermediate CA certificates, split
the file between the
-
Import the root CA certificate into the JDK truststore. If you do not have the
$JAVA_HOME
variable set, replace it with the path to the Oracle JDK.$ sudo keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts \ -file /opt/cloudera/security/pki/rootca.cert.pem -storepass changeit
The default password for thecacerts
file ischangeit
(as shown in the above command). Cloudera recommends changing this password by running the keytool command:keytool -storepasswd -keystore $JAVA_HOME/jre/lib/security/cacerts
-
Copy the
jssecacerts
file from the Cloudera Manager Server host to all other cluster hosts. Copy the file to the same location on each host using the path required by Oracle JDK, which is as follows:$JAVA_HOME/jre/lib/security/jssecacerts
-
On the Cloudera Manager Server host, append the intermediate CA certificate to the
signed server certificate. Be sure to use the append (
>>
) operator—not overwrite (>
)—when executing the statement:$ sudo cat /opt/cloudera/security/pki/intca.cert.pem >> \ /opt/cloudera/security/pki/$(hostname -f)-server.cert.pem