Support Questions

Find answers, ask questions, and share your expertise

Using single SSL Certificate on multiple hosts?

avatar
Contributor

Hi all,

Currently in the cluster we have different host certs for each host of the cluster. Is it possible to configure a single SSL cert for all the hosts? (This is to avoid generating multiple CSR and getting them signed)

1) Is it possible?

2) How if possible.

3) Possible security concerns?

Regards,

Arpan

1 ACCEPTED SOLUTION

avatar
Expert Contributor

@Arpan Rajani Yes, you can use a wildcard certificate - see https://en.wikipedia.org/wiki/Wildcard_certificate

If you're using a CA authority then most will generate wildcard certificates for you. If you're using an internal CA or self-signed certificates then this link shows you how: https://serversforhackers.com/self-signed-ssl-certificates

In terms of using it for Hadoop, it is used in the same way as a regular certificate but you only have one certificate for all the services.

The main security issue with this is that if someone gets hold of the certificate they can install it on any host in your network that matches the domain in DNS (for example *.example.com) and get a valid certificate on that host.

View solution in original post

2 REPLIES 2

avatar
Expert Contributor

@Arpan Rajani Yes, you can use a wildcard certificate - see https://en.wikipedia.org/wiki/Wildcard_certificate

If you're using a CA authority then most will generate wildcard certificates for you. If you're using an internal CA or self-signed certificates then this link shows you how: https://serversforhackers.com/self-signed-ssl-certificates

In terms of using it for Hadoop, it is used in the same way as a regular certificate but you only have one certificate for all the services.

The main security issue with this is that if someone gets hold of the certificate they can install it on any host in your network that matches the domain in DNS (for example *.example.com) and get a valid certificate on that host.

avatar
Contributor

@Terry Stebbens Thanks Terry for quick response.

We are using third party CA. (Not the self signed ones).

Currently while generating the CSR we given Common Name = {hostname}

$hostname yields : abc-xyz-001.CompanyName.COM

Instead when we give CN = *.CompanyName.COM, do we need to to get a domain set up in DNS to handle this?

Thanks,

Arpan