Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Private CA vs self-signed certs

Private CA vs self-signed certs

Explorer

Related to Kerberos AA activation, CDH docs recommend using TLS security for communication between CM and node agents. Using private CA or self-signed certs are both viable options, and I thinks it's clear why the first one is recommended for use. However, let's say we're building a CDH platform which will only communicate via some internal, non-public network (a company's Intranet, for example). Do you think that a self-signed cert presents a satisfiable security level for that kind of an environment? What are your thoughts on this?

3 REPLIES 3
Highlighted

Re: Private CA vs self-signed certs

Expert Contributor

Hello mat15,

 

The level of security for data flow through tunnel is more or less same. But self-signed has no identity of owner/CA to it & private key will be shared with 3rd party.

 

If your scenario is limited to INTERNAL only then you can go self-signed route.

 

I hope that helps.

Re: Private CA vs self-signed certs

Explorer

Yes, I'd agree that self-signed certs could be appropriate for Internal use (only).

Re: Private CA vs self-signed certs

In general, a private CA is much easier to manage. You need a copy of every
self-signed cert in the trust store, and if you add hosts that require new
self-signed certs then you have to update all hosts and clients that may
talk to that host to add the cert to their trust stores.

With a private CA then you only need to do the trust store change once.

The best of course is one signed by a well-known CA, in which case you
don't have to update clients at all.