TLS/SSL Certificates Overview

You can create TLS/SSL certificates to secure communications between cluster servers and clients in one of three different ways:

  • Public CA-signed certificates: Using certificates signed by a trusted public certificate authority (CA) simplifies deployment because the default Java client already trusts most public CAs.
  • Internal CA-signed certificates: Using certificates signed by your organization's internal CA can also simplify deployment if the internal CA is already set up and used throughout your infrastructure. (If not, you must configure all hosts to trust the internal CA.)
  • Self-signed certificates: Using self-signed certificates complicates the deployment process because you must generate and distribute your own certificates and configure all clients of the service to trust the specific certificate used by that service.
Regardless of the approach you choose, TLS/SSL requires certificates on each host running a service daemon role in the cluster, and requires enabling TLS/SSL for all services in the cluster. That is, if you enable TLS/SSL for the HDFS service on a cluster running HDFS, MapReduce, and YARN, you must also enable TLS/SSL for MapReduce and YARN.