The links provided by @amiller@hortonworks.com are a great place to start. PKI and SSL configuration are one of those security topics that are difficult to answer in a generic way. There are some prerequisites to being able to answer this question for someone or to be able to approach this in the field.
For instance, the Apache Knox User Guide link above provides a generic end-to-end answer if you need to accomplish all of the steps on your own. Often, a customer will have a security department that they need to request the certificate/key pair from and a company internal process to follow in order to do so. The steps in the User Guide related to requesting the certificate from an authority can then be replaced with that internal process.
Once a certificate/key pair is in hand, we have a couple things to do:
1. determine what needs to be done to import it into the gateway.jks keystore
a. depending on the format of the provided key pair - it may need to be converted to a format that can be imported - openssl is a great tool for doing these conversions
b. as the apache docs describe the signing cert may also need to be imported
c. be sure to import the public certificate and the private key for setting up the gateway-identity alias - importing just the certificate is for setting up trusted certs not identity certs.
2. determine whether the public key needs to be added to any client truststores
a. this is where we import just the public certificate of the trusted entity - hopefully in an existing certificate scenario the CA cert is already trusted
The above are some guidelines for understanding what is needed in general for SSL certificate/key pair provisioning. Some handy Knox specifics:
1. {GATEWAY_HOME}/data/security/keystores/gateway.jks
This is the identity keystore for the Knox Gateway and needs the public and private keys as well as any signing certs. (see apache docs) The expected alias for the certificate is gateway-identity.
2. {GATEWAY_HOME}/data/security/keystores/__gateway-credentials.jceks
This is the credential store for the gateway itself and you will want to add a credential to this that protects the private key passphrase used when you import the key pair into the identity store. This is done with knoxcli.sh create-alias gateway-identity-passphrase --value {value}.
3. The master secret for the gateway is used as the keystore password and must also be used to import the key pair. If you choose to make the private key passphrase the same as the master secret then you can skip #2 above.
Hopefully this provides not just specific steps but some background on what you need to understand for SSL configuration.
