How to Add Root and Intermediate CAs to Truststore for TLS/SSL
If a signed certificate is from a certificate authority (CA) that does not have certificates in the truststore for whatever reason (internal CA or a public CA not included in the Java truststore, for example), you must explicitly establish trust for the CA, as detailed below.
Explicit Trust for Certificates
- Copy the root and intermediate CA certificates to these locations on the Cloudera Manager Server host:
- If you have a concatenated file containing the root CA and an intermediate CA certificate, split the file along the END CERTIFICATE/BEGIN CERTIFICATE boundary into individual files.
- If there are multiple intermediate CA certificates, use unique file names such as intca-1.cert.pem, intca-1.cert.pem, and so on.
- Import the root CA certificate into the JDK truststore. If you do not have the $JAVA_HOME variable set, replace it with the path to the Oracle JDK.
$ sudo keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts \ -file /opt/cloudera/security/pki/rootca.cert.pem -storepass changeitThe default password for the cacerts file is changeit. Cloudera recommends changing this password by running the command keytool -storepasswd -keystore $JAVA_HOME/jre/lib/security/cacerts.
- Copy the jssecacerts file from the Cloudera Manager Server host to all other cluster hosts. Make sure you copy the file to the correct location ($JAVA_HOME/jre/lib/security/jssecacerts), because the Oracle JDK expects it there.
- On the Cloudera Manager Server host, append the intermediate CA certificate to the signed server certificate. Be sure to use the append operator
(>>)—not overwrite (>)—when executing the statement:
$ sudo cat /opt/cloudera/security/pki/intca.cert.pem >> /opt/cloudera/security/pki/$(hostname -f)-server.cert.pem