Managing Key Trustee Server Certificates

Transport Layer Security (TLS) certificates are used to secure communication with Key Trustee Server. By default, Key Trustee Server generates self-signed certificates when it is first initialized. Cloudera strongly recommends using certificates signed by a trusted Certificate Authority (CA).

Generating a New Certificate

  1. Generate a new certificate signing request (CSR):
    $ openssl req -new -key keytrustee_private_key.pem -out new.csr

    Replace keytrustee_private_key.pem with the filename of the private key. You can reuse the existing private key or generate a new private key in accordance with your company policies. For existing auto-generated self-signed certificates, the private key file is located at /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk.pem.

  2. Generate a new certificate from the CSR:
    • For a CA-signed certificate, submit the CSR to the CA, and they will provide a signed certificate.
    • To generate a new self-signed certificate, run the following command:
      $ openssl x509 -req -days 365 -in new.csr -signkey keytrustee_private_key.pem \
      -out new_keytrustee_certificate.pem

Replacing Key Trustee Server Certificates

Use the following procedure if you need to replace an existing certificate for the Key Trustee Server. For example, you can use this procedure to replace the auto-generated self-signed certificate with a CA-signed certificate, or to replace an expired certificate.
  1. After Generating a New Certificate, replace the original certificate and key files with the new certificate and key.
    1. Back up the original certificate and key files:
      $ sudo cp -r /var/lib/keytrustee/.keytrustee/.ssl /var/lib/keytrustee/.keytrustee/.ssl.bak
    2. Move the new certificate and key to the original location and filenames, overwriting the original files:
      $ sudo mv /path/to/keytrustee_private_key.pem /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-pk.pem
      $ sudo mv /path/to/new_keytrustee_certificate.pem /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem
    3. (CA-Signed Certificates Only) Remove the private CA key file and provide the root or intermediate CA certificate. The private CA key is used by Key Trustee Server to self-sign certificates. If you are replacing self-signed certificates with CA-signed certificates, this key must be removed:
      $ sudo rm /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-ca-pk.pem
      $ sudo mv /path/to/rootca.pem /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee-ca.pem
  2. Restart the Key Trustee Server daemon:

    Using Cloudera Manager: Restart the Key Trustee Server service (Key Trustee Server service > Actions > Restart).

    Using the Command Line: Restart the Key Trustee Server daemon:
    $ sudo /etc/init.d/keytrusteed restart
  3. If you are using the Key Trustee KMS service in Cloudera Manager for HDFS Data At Rest Encryption, update the Java KeyStore (JKS) used on the Key Trustee KMS host:
    1. Download the new certificate to the Key Trustee KMS host:
      $ echo -n | openssl s_client -connect \
      | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/keytrustee_certificate.pem
    2. Delete the existing keystore entry for
      $ keytool -delete -alias key_trustee_alias_name -keystore /path/to/truststore -v
    3. Add the new keystore entry for
      $ keytool -import -trustcacerts -alias \
      -file /tmp/keytrustee_certificate.pem -keystore /path/to/truststore
    4. Restart the Key Trustee KMS service in Cloudera Manager.