This is the documentation for Cloudera Manager 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Creating Certificates

The following sections will walk you through obtaining certificates from commercial Certificate Authorities and creating self-signed test certificates.

Using Keytool

Keytool is a utility for creating and managing certificates and cryptographic keys, and is part of the standard JDK distribution. The keytool executable usually resides in $JAVA_HOME/bin.

Keytool stores certificates and keys in a file known as a keystore. While several different keystore types are supported, by default keytool uses the Java KeyStore (JKS) format.

Java-based services such as HDFS, MapReduce, and YARN use the JKS format by default. For this reason it is particularly convenient to use keytool for managing keys and certificates for these services. In the following topics, we assume you are using keytool.

For additional information on keytool, refer the keytool documentation.

Using OpenSSL

Python-based services such as Hue expect certificates and keys to be stored in PEM format. When managing certificates and keys for such services, you may find it convenient to use the openssl tool.

Refer the openssl documentation for more information.

Obtaining a Production Certificate from a Commercial CA

Once you have decided on a certificate-provisioning strategy, and have determined which hosts require certificates, you will typically purchase the necessary certificates from a commercial Certificate Authority (CA). The procedure for applying for a certificate varies from one CA to another, but typically involves providing some form of proof that you are the legitimate owner of the domain name for which you are requesting a certificate, generating a key pair, and submitting a Certificate Signing Request (CSR) to the CA.

As noted above, you may find it convenient to use the Java keytool utility to generate your key pair and CSR, and to manage your certificates. The CA you choose will provide instructions for obtaining and installing a certificate; typically, there will be separate sets of instructions for different web and application servers. The instructions for Java-based servers (Tomcat, for example), will usually describe the following process comprising three keytool commands to obtain a certificate:

  1. keytool -genkeypair to generate a public/private key pair and create the keystore.
  2. keytool -certreq to create the CSR.
  3. keytool -importcert to import the signed certificate into the keystore.
For example, to generate a public/private key pair for the domain name node1.example.com, you would use a command similar to the one shown below:
$ keytool -genkeypair -keystore node1.keystore -alias node1 \
-dname "CN=node1.example.com O=Hadoop" -keyalg RSA \
-keysize 2048 -storepass changeme -keypass changeme2

This command generates a pair of 2048-bit keys using the RSA key algorithm, one of several available. The keys are stored in a keystore file called node1.keystore, in a keystore entry identified by by the alias node1. The keystore password (which protects the keystore as a whole) and the key password (which protects the private key stored in the node1 entry) are set via the -storepass and -keypass options (respectively).

To create a CSR, you would use a command similar to the following:

$ keytool -certreq -keystore node1.keystore -alias node1 \
-storepass changeme -keypass changeme2 -file node1.csr
This command generates the CSR, and stores it in a file called node1.csr. Once you've submitted your CSR to the CA, and received the CA's reply (containing the signed certificate), you will use the following keytool -importcert command to import the reply into your keystore:
$ keytool -importcert -keystore node1.keystore -alias node1 \
-storepass changeme -keypass changeme2 -trustcacerts -file node1.crt

Here we assume that the CA's reply is stored in the file node1.crt.

  Important: This section describes a generic procedure using keytool to obtain a certificate from a commercial Certificate Authority. This procedure will differ from one CA to another and Cloudera recommends you consult your CA's documentation for more specifics.

Creating Self-Signed Test Certificates

  Important: Cloudera strongly recommends against the use of self-signed certificates in production clusters.

It is also possible to create your own test certificates. These certificates are typically self-signed; that is, they are signed by your own private key, rather than that of an external CA. Such test certificates are useful during testing and bringup of a cluster.

To generate a self-signed certificate, use keytool -genkeypair. (In addition to creating a public/private key pair, this command wraps the public key into a self-signed certificate.) For example, the following command creates a self-signed test certificate for the host node1.example.com, and stores it in a keystore named node1.keystore:
$ keytool -genkeypair -keystore node1.keystore -keyalg RSA \
-alias node1 -dname "CN=node1.example.com O=Hadoop" \
-storepass changeme -keypass changeme2
Page generated September 3, 2015.