Support Questions

Find answers, ask questions, and share your expertise

Replace Self Signed SSL certificates with CA signed

avatar
Master Mentor

I have created self signed certificates (.csr and .key) for my Ambari and Ranger in a kerberized environment all is working fine.We just order CA signed certificates ,so my question is how to I just repalce these self signed certificates with too much reconfiguration.

1 ACCEPTED SOLUTION

avatar
Master Mentor

Resolved

Here we go, the CA signed certificate $ambari_server_fqdn.crt to replaces the crt generated during the selfsigned test phase and the private key generated during the CSR creation is $ambari_server_fqdn.key copy the .crt and .keys, Ambari stores the ssl config in /etc/lib/ambari_server ........

# cp /etc/ambari-server/certs/$ambari_server_fqdn.crt /var/lib/ambari-server/keys/https.crt 
# cp /etc/ambari-server/certs/$ambari_server_fqdn.key /var/lib/ambari-server/keys/https.key 

After copying the above ccert and key to the destinations,restart the ambari-server

# service ambari-server restart 

The Ambari should trust your CA signed Import to the trust keystore -destkeypass should be adapted to your environment.

1: convert

$openssl pkcs12 -export -in /etc/ambari-server/certs/$ambari_server_fqdn.crt -inkey /etc/ambari-server\
/certs/$ambari_server_fqdn.key -out /etc/ambari-server/certs/$ambari_server_fqdn.p12 -name \
$ambari_server_fqn 

2:import

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/ambari-server\
/certs/$ambari_server_fqdn.jks -srckeystore /etc/ambari-server/certs/$ambari_server_fqdn.p12 \
-srcstoretype PKCS12 -srcstorepass changeit -alias $ambari_server_fqdn 

3: After import to trustore remove the .p12 key no longer needed

rm /etc/ambari-server/certs/$ambari_server_fqdn.p12

View solution in original post

3 REPLIES 3

avatar
Contributor

@Geoffrey Shelton Okot You can follow instructions similar to this: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/_set_up_truststor.... Basically you'll need to import certificates to your truststore/keystore.

avatar
Master Mentor

Resolved

Here we go, the CA signed certificate $ambari_server_fqdn.crt to replaces the crt generated during the selfsigned test phase and the private key generated during the CSR creation is $ambari_server_fqdn.key copy the .crt and .keys, Ambari stores the ssl config in /etc/lib/ambari_server ........

# cp /etc/ambari-server/certs/$ambari_server_fqdn.crt /var/lib/ambari-server/keys/https.crt 
# cp /etc/ambari-server/certs/$ambari_server_fqdn.key /var/lib/ambari-server/keys/https.key 

After copying the above ccert and key to the destinations,restart the ambari-server

# service ambari-server restart 

The Ambari should trust your CA signed Import to the trust keystore -destkeypass should be adapted to your environment.

1: convert

$openssl pkcs12 -export -in /etc/ambari-server/certs/$ambari_server_fqdn.crt -inkey /etc/ambari-server\
/certs/$ambari_server_fqdn.key -out /etc/ambari-server/certs/$ambari_server_fqdn.p12 -name \
$ambari_server_fqn 

2:import

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/ambari-server\
/certs/$ambari_server_fqdn.jks -srckeystore /etc/ambari-server/certs/$ambari_server_fqdn.p12 \
-srcstoretype PKCS12 -srcstorepass changeit -alias $ambari_server_fqdn 

3: After import to trustore remove the .p12 key no longer needed

rm /etc/ambari-server/certs/$ambari_server_fqdn.p12

avatar
New Contributor

It's best to run:

ambar-server setup-security

and use Option1 to update https certificates. It will ask for crt and key files, and automatically updates relevant files behind the scene. The solution mentioned above doesn't work for me.

 

After security setup, restart ambari server:

ambari-server restart