How to Add Root and Intermediate CAs to Truststore for TLS/SSL

If a signed certificate is from a certificate authority (CA) that does not have certificates in the truststore for whatever reason (internal CA or a public CA not included in the Java truststore, for example), you must explicitly establish trust for the CA, as detailed below.

Explicit Trust for Certificates

Before importing the certificate into the host system's keystore, you must load the root CAs and any intermediate CAs into the truststore.
  1. Copy the root and intermediate CA certificates to these locations on the Cloudera Manager Server host:
  2. If you have a concatenated file containing the root CA and an intermediate CA certificate, split the file along the END CERTIFICATE/BEGIN CERTIFICATE boundary into individual files.
  3. If there are multiple intermediate CA certificates, use unique file names such as intca-1.cert.pem, intca-1.cert.pem, and so on.
  4. Import the root CA certificate into the JDK truststore. If you do not have the $JAVA_HOME variable set, replace it with the path to the Oracle JDK.
    $ sudo keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts \
    -file /opt/cloudera/security/pki/rootca.cert.pem -storepass changeit
    The default password for the cacerts file is changeit. Cloudera recommends changing this password by running the command keytool -storepasswd -keystore $JAVA_HOME/jre/lib/security/cacerts.
  5. Copy the jssecacerts file from the Cloudera Manager Server host to all other cluster hosts. Make sure you copy the file to the correct location ($JAVA_HOME/jre/lib/security/jssecacerts), because the Oracle JDK expects it there.
  6. On the Cloudera Manager Server host, append the intermediate CA certificate to the signed server certificate. Be sure to use the append operator (>>)—not overwrite (>)—when executing the statement:
    $ sudo cat /opt/cloudera/security/pki/intca.cert.pem >> /opt/cloudera/security/pki/$(hostname -f)-server.cert.pem