Cloudera Docs

Creating cacerts.pem file

You can create a cacerts.pem file including all the self-signed certificates in it.

You can collect all the self-signed certificates of the control plane, virtual cluster, Spark Connect, and CDE service hostnames and add all of them to a cacerts.pem file.

  1. Identify the control plane hostname.
    The control plane hostname is the host name present in the URL used to access the private cloud control plane. For example, if https://console-cdp.apps.example.cloudera.com is the control plane URL, then console-cdp.apps.example.cloudera.com is the control plane hostname.
  2. Identify the virtual cluster hostname as follows:
    1. Select the CDE service containing the virtual cluster that you want to activate.
    2. Click Cluster Details.
    3. Click JOBS API URL to copy the URL to your clipboard.
    4. Paste the URL into a text editor to identify the endpoint host.

      For example, if the copied URL is https://dfdj6kgx.cde-2cdxw5x5.apps.ecs-demo.example.com/dex/api/v1, then the endpoint host is dfdj6kgx.cde-2cdxw5x5.apps.ecs-demo.example.com.

  3. Identify the Spark Connect hostname: Using the virtual cluster hostname identified in the preceeding step, prefix "sc-" to this hostname to obtain the Spark Connect hostname. For example, if the virtual cluster hostname is dfdj6kgx.cde-2cdxw5x5.apps.ecs-demo.example.com, then the Spark Connect hostname is sc-dfdj6kgx.cde-2cdxw5x5.apps.ecs-demo.example.com.
  4. Identify the CDE service hostname as follows:
    1. Select the CDE service containing the virtual cluster that you want to activate.
    2. Click Cluster Details.
    3. Click Grafana Charts to copy the URL to your clipboard.
    4. Paste the URL into a text editor to identify the endpoint host.

      For example, if the copied URL is https://service.cde-2cdxw5x5.apps.ecs-demo.example.com/grafana/249u4dnkfnkdf then the endpoint host is service.cde-2cdxw5x5.apps.ecs-demo.example.com.

  5. Run the following commands to add all the certificates into a single cacerts.pem file: 
    openssl s_client -connect [***control plane hostname***]:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> cacerts.pem
openssl s_client -connect [***virtual cluster hostname***]:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> cacerts.pem
openssl s_client -connect [***spark connect hostname***]:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> cacerts.pem
openssl s_client -connect [***cde service hostname***]:443 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> cacerts.pem