Support Questions

Shelton · ‎03-15-2017

I have created self signed certificates (.csr and .key) for my Ambari and Ranger in a kerberized environment all is working fine.We just order CA signed certificates ,so my question is how to I just repalce these self signed certificates with too much reconfiguration.

Shelton · ‎04-03-2017

Resolved

Here we go, the CA signed certificate $ambari_server_fqdn.crt to replaces the crt generated during the selfsigned test phase and the private key generated during the CSR creation is $ambari_server_fqdn.key copy the .crt and .keys, Ambari stores the ssl config in /etc/lib/ambari_server ........

# cp /etc/ambari-server/certs/$ambari_server_fqdn.crt /var/lib/ambari-server/keys/https.crt 
# cp /etc/ambari-server/certs/$ambari_server_fqdn.key /var/lib/ambari-server/keys/https.key

After copying the above ccert and key to the destinations,restart the ambari-server

# service ambari-server restart

The Ambari should trust your CA signed Import to the trust keystore -destkeypass should be adapted to your environment.

1: convert

$openssl pkcs12 -export -in /etc/ambari-server/certs/$ambari_server_fqdn.crt -inkey /etc/ambari-server\
/certs/$ambari_server_fqdn.key -out /etc/ambari-server/certs/$ambari_server_fqdn.p12 -name \
$ambari_server_fqn

2:import

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/ambari-server\
/certs/$ambari_server_fqdn.jks -srckeystore /etc/ambari-server/certs/$ambari_server_fqdn.p12 \
-srcstoretype PKCS12 -srcstorepass changeit -alias $ambari_server_fqdn

3: After import to trustore remove the .p12 key no longer needed

rm /etc/ambari-server/certs/$ambari_server_fqdn.p12

View solution in original post

vgumashta · ‎03-23-2017

@Geoffrey Shelton Okot You can follow instructions similar to this: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/_set_up_truststor.... Basically you'll need to import certificates to your truststore/keystore.

Shelton · ‎04-03-2017

Resolved

Here we go, the CA signed certificate $ambari_server_fqdn.crt to replaces the crt generated during the selfsigned test phase and the private key generated during the CSR creation is $ambari_server_fqdn.key copy the .crt and .keys, Ambari stores the ssl config in /etc/lib/ambari_server ........

# cp /etc/ambari-server/certs/$ambari_server_fqdn.crt /var/lib/ambari-server/keys/https.crt 
# cp /etc/ambari-server/certs/$ambari_server_fqdn.key /var/lib/ambari-server/keys/https.key

After copying the above ccert and key to the destinations,restart the ambari-server

# service ambari-server restart

The Ambari should trust your CA signed Import to the trust keystore -destkeypass should be adapted to your environment.

1: convert

$openssl pkcs12 -export -in /etc/ambari-server/certs/$ambari_server_fqdn.crt -inkey /etc/ambari-server\
/certs/$ambari_server_fqdn.key -out /etc/ambari-server/certs/$ambari_server_fqdn.p12 -name \
$ambari_server_fqn

2:import

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/ambari-server\
/certs/$ambari_server_fqdn.jks -srckeystore /etc/ambari-server/certs/$ambari_server_fqdn.p12 \
-srcstoretype PKCS12 -srcstorepass changeit -alias $ambari_server_fqdn

3: After import to trustore remove the .p12 key no longer needed

rm /etc/ambari-server/certs/$ambari_server_fqdn.p12

szhaoaus · ‎09-10-2020

It's best to run:

ambar-server setup-security

and use Option1 to update https certificates. It will ask for crt and key files, and automatically updates relevant files behind the scene. The solution mentioned above doesn't work for me.

After security setup, restart ambari server:

ambari-server restart

Cloudera Community

Support Questions

Replace Self Signed SSL certificates with CA signed