Posts: 19
Registered: ‎09-18-2015

Private CA vs self-signed certs

[ Edited ]

Related to Kerberos AA activation, CDH docs recommend using TLS security for communication between CM and node agents. Using private CA or self-signed certs are both viable options, and I thinks it's clear why the first one is recommended for use. However, let's say we're building a CDH platform which will only communicate via some internal, non-public network (a company's Intranet, for example). Do you think that a self-signed cert presents a satisfiable security level for that kind of an environment? What are your thoughts on this?

Expert Contributor
Posts: 92
Registered: ‎01-08-2016

Re: Private CA vs self-signed certs

Hello mat15,


The level of security for data flow through tunnel is more or less same. But self-signed has no identity of owner/CA to it & private key will be shared with 3rd party.


If your scenario is limited to INTERNAL only then you can go self-signed route.


I hope that helps.

Posts: 19
Registered: ‎09-18-2015

Re: Private CA vs self-signed certs

Yes, I'd agree that self-signed certs could be appropriate for Internal use (only).

Cloudera Employee
Posts: 509
Registered: ‎07-30-2013

Re: Private CA vs self-signed certs

In general, a private CA is much easier to manage. You need a copy of every
self-signed cert in the trust store, and if you add hosts that require new
self-signed certs then you have to update all hosts and clients that may
talk to that host to add the cert to their trust stores.

With a private CA then you only need to do the trust store change once.

The best of course is one signed by a well-known CA, in which case you
don't have to update clients at all.