How to Add Root and Intermediate CAs to Truststore for TLS/SSL

If a signed certificate is from a certificate authority (CA) that does not have certificates in the truststore for whatever reason (internal CA or a public CA not included in the Java truststore, for example), you must explicitly establish trust for the CA, as detailed below.

Explicit Trust for Certificates

Before importing the certificate into the host system's keystore, you must load the root CAs and any intermediate CAs into the truststore.
  1. Copy the root and intermediate CA certificates to these locations on the Cloudera Manager Server host:
    1. For files containing concatenated file with root CA and intermediate CA certificates, split the file between the END CERTIFICATE and BEGIN CERTIFICATE boundaries between certificates in the file and make individual files instead.
    2. For files containing multiple intermediate CA certificates, use unique file names such as intca-1.cert.pem, intca-1.cert.pem, and so on.
  2. Import the root CA certificate into the JDK truststore. If you do not have the $JAVA_HOME variable set, replace it with the path to the Oracle JDK.
    $ sudo keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts \
    -file /opt/cloudera/security/pki/rootca.cert.pem -storepass changeit
    The default password for the cacerts file is changeit (as shown in the above command). Cloudera recommends changing this password by running the keytool command:
    keytool -storepasswd -keystore $JAVA_HOME/jre/lib/security/cacerts
  3. Copy the jssecacerts file from the Cloudera Manager Server host to all other cluster hosts. Copy the file to the same location on each host using the path required by Oracle JDK, which is as follows:
  4. On the Cloudera Manager Server host, append the intermediate CA certificate to the signed server certificate. Be sure to use the append (>>) operator—not overwrite (>)—when executing the statement:
    $ sudo cat /opt/cloudera/security/pki/intca.cert.pem >> \
    /opt/cloudera/security/pki/$(hostname -f)-server.cert.pem