question Re: Replace Self Signed SSL certificates with CA signed in Archives of Support Questions (Read Only)

Replace Self Signed SSL certificates with CA signed

Shelton — Fri, 16 Sep 2022 11:15:25 GMT

I have created self signed certificates (.csr and .key) for my Ambari and Ranger in a kerberized environment all is working fine.We just order CA signed certificates ,so my question is how to I just repalce these self signed certificates with too much reconfiguration.

Re: Replace Self Signed SSL certificates with CA signed

vgumashta — Thu, 23 Mar 2017 10:36:43 GMT

@Geoffrey Shelton Okot You can follow instructions similar to this: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/_set_up_truststore_for_ambari_server.html. Basically you'll need to import certificates to your truststore/keystore.

Re: Replace Self Signed SSL certificates with CA signed

Shelton — Tue, 04 Apr 2017 05:58:19 GMT

Resolved

Here we go, the CA signed certificate $ambari_server_fqdn.crt to replaces the crt generated during the selfsigned test phase and the private key generated during the CSR creation is $ambari_server_fqdn.key copy the .crt and .keys, Ambari stores the ssl config in /etc/lib/ambari_server ........

# cp /etc/ambari-server/certs/$ambari_server_fqdn.crt /var/lib/ambari-server/keys/https.crt 
# cp /etc/ambari-server/certs/$ambari_server_fqdn.key /var/lib/ambari-server/keys/https.key

After copying the above ccert and key to the destinations,restart the ambari-server

# service ambari-server restart

The Ambari should trust your CA signed Import to the trust keystore -destkeypass should be adapted to your environment.

1: convert

$openssl pkcs12 -export -in /etc/ambari-server/certs/$ambari_server_fqdn.crt -inkey /etc/ambari-server\
/certs/$ambari_server_fqdn.key -out /etc/ambari-server/certs/$ambari_server_fqdn.p12 -name \
$ambari_server_fqn

2:import

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/ambari-server\
/certs/$ambari_server_fqdn.jks -srckeystore /etc/ambari-server/certs/$ambari_server_fqdn.p12 \
-srcstoretype PKCS12 -srcstorepass changeit -alias $ambari_server_fqdn

3: After import to trustore remove the .p12 key no longer needed

rm /etc/ambari-server/certs/$ambari_server_fqdn.p12

Re: Replace Self Signed SSL certificates with CA signed

szhaoaus — Fri, 11 Sep 2020 03:28:17 GMT

It's best to run:

ambar-server setup-security

and use Option1 to update https certificates. It will ask for crt and key files, and automatically updates relevant files behind the scene. The solution mentioned above doesn't work for me.

After security setup, restart ambari server:

ambari-server restart