Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement

Replace Cloudbreak Mini Knox self-signed certificate with CA certificate

avatar
author-rank pbhagade author-rank
Expert Contributor

Created on ‎10-05-2017 01:06 PM

Cloudbreak contains mini KNOX which is not managed by Ambari.

Below are the steps to replace Self Signed Certificate with CA Signed Certificates

Step 1: Remove below two entries from /usr/hdp/current/knox-server/conf/gateway-site.xml and save it.

<property> 
<name>gateway.signing.keystore.name</name> 
<value>signing.jks</value> 
</property> 

<property> 
<name>gateway.signing.key.alias</name> 
<value>signing-identity</value> 
</property>

Step 2: Take a backup of original configuration:

[~]$ cd /usr/hdp/current/knox-server/data/security/keystores/
[~]$ mkdir backup
[~]$ mv __gateway-credentials.jceks gateway.jks backup/

Step 3: Create a keystore in PKCS12 format from your private key file, certificate, Intermediate certificate and root certificate

[~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key -in <cert.cer> -certfile <root_intermediate>.cer -certfile <root_ca>.cer

Step 4: Regenerate Master Key. Use the same password for master key and keystore.

# rm -rf /usr/hdp/current/knox-server/data/security/master 
# ls -l /usr/hdp/current/knox-server/data/security/master 
# /usr/hdp/current/knox-server/bin/knoxcli.sh create-master

Step 5: Generate Knox keystore

[~]$ cp corp_cert_chain.pfx /usr/hdp/current/knox-server/data/security/keystores/
[~]$ cd /usr/hdp/current/knox-server/data/security/keystores/
 
[~]$ keytool -importkeystore  -srckeystore corp_cert_chain.pfx -srcstoretype pkcs12 -destkeystore 
gateway.jks -deststoretype jks -srcstorepass <src-keystore-password> -deststorepass <knox-master-secret> -destkeypass <knox-master-secret>

Step 6: Replace the alias of keystore

keytool -changealias -alias "1" -destalias "gateway-identity" -keypass keypass -keystore gateway.jks-storepass storepass

Step 7: Store the keystore password in jceks file

[~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase
--value <knox-master-secret>

Step 8: Restart Knox, you should see the below-highlighted lines in your knox logs

[~]$ tail –f /var/log/knox/gateway.log
1,323 Views
Announcements
Community Announcements
Announcing the Launch of Cloudera Community Blogs
Community Announcements
October / November 2025 Community Highlights
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
Welcome to the Cloudera Community!
View More Announcements
Version history
Last update:
‎10-05-2017 01:06 PM
Updated by:
Expert Contributor Expert Contributor
Contributors