Support Questions
Find answers, ask questions, and share your expertise

Replace Self Signed SSL certificates with CA signed

Mentor

I have created self signed certificates (.csr and .key) for my Ambari and Ranger in a kerberized environment all is working fine.We just order CA signed certificates ,so my question is how to I just repalce these self signed certificates with too much reconfiguration.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Replace Self Signed SSL certificates with CA signed

Mentor

Resolved

Here we go, the CA signed certificate $ambari_server_fqdn.crt to replaces the crt generated during the selfsigned test phase and the private key generated during the CSR creation is $ambari_server_fqdn.key copy the .crt and .keys, Ambari stores the ssl config in /etc/lib/ambari_server ........

# cp /etc/ambari-server/certs/$ambari_server_fqdn.crt /var/lib/ambari-server/keys/https.crt 
# cp /etc/ambari-server/certs/$ambari_server_fqdn.key /var/lib/ambari-server/keys/https.key 

After copying the above ccert and key to the destinations,restart the ambari-server

# service ambari-server restart 

The Ambari should trust your CA signed Import to the trust keystore -destkeypass should be adapted to your environment.

1: convert

$openssl pkcs12 -export -in /etc/ambari-server/certs/$ambari_server_fqdn.crt -inkey /etc/ambari-server\
/certs/$ambari_server_fqdn.key -out /etc/ambari-server/certs/$ambari_server_fqdn.p12 -name \
$ambari_server_fqn 

2:import

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/ambari-server\
/certs/$ambari_server_fqdn.jks -srckeystore /etc/ambari-server/certs/$ambari_server_fqdn.p12 \
-srcstoretype PKCS12 -srcstorepass changeit -alias $ambari_server_fqdn 

3: After import to trustore remove the .p12 key no longer needed

rm /etc/ambari-server/certs/$ambari_server_fqdn.p12

View solution in original post

3 REPLIES 3

Re: Replace Self Signed SSL certificates with CA signed

Cloudera Employee

@Geoffrey Shelton Okot You can follow instructions similar to this: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/_set_up_truststor.... Basically you'll need to import certificates to your truststore/keystore.

Re: Replace Self Signed SSL certificates with CA signed

Mentor

Resolved

Here we go, the CA signed certificate $ambari_server_fqdn.crt to replaces the crt generated during the selfsigned test phase and the private key generated during the CSR creation is $ambari_server_fqdn.key copy the .crt and .keys, Ambari stores the ssl config in /etc/lib/ambari_server ........

# cp /etc/ambari-server/certs/$ambari_server_fqdn.crt /var/lib/ambari-server/keys/https.crt 
# cp /etc/ambari-server/certs/$ambari_server_fqdn.key /var/lib/ambari-server/keys/https.key 

After copying the above ccert and key to the destinations,restart the ambari-server

# service ambari-server restart 

The Ambari should trust your CA signed Import to the trust keystore -destkeypass should be adapted to your environment.

1: convert

$openssl pkcs12 -export -in /etc/ambari-server/certs/$ambari_server_fqdn.crt -inkey /etc/ambari-server\
/certs/$ambari_server_fqdn.key -out /etc/ambari-server/certs/$ambari_server_fqdn.p12 -name \
$ambari_server_fqn 

2:import

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/ambari-server\
/certs/$ambari_server_fqdn.jks -srckeystore /etc/ambari-server/certs/$ambari_server_fqdn.p12 \
-srcstoretype PKCS12 -srcstorepass changeit -alias $ambari_server_fqdn 

3: After import to trustore remove the .p12 key no longer needed

rm /etc/ambari-server/certs/$ambari_server_fqdn.p12

View solution in original post

Re: Replace Self Signed SSL certificates with CA signed

New Contributor

It's best to run:

ambar-server setup-security

and use Option1 to update https certificates. It will ask for crt and key files, and automatically updates relevant files behind the scene. The solution mentioned above doesn't work for me.

 

After security setup, restart ambari server:

ambari-server restart