Support Questions

Find answers, ask questions, and share your expertise

Using single SSL Certificate on multiple hosts?

avatar
Contributor

Hi all,

Currently in the cluster we have different host certs for each host of the cluster. Is it possible to configure a single SSL cert for all the hosts? (This is to avoid generating multiple CSR and getting them signed)

1) Is it possible?

2) How if possible.

3) Possible security concerns?

Regards,

Arpan

1 ACCEPTED SOLUTION

avatar
Expert Contributor

@Arpan Rajani Yes, you can use a wildcard certificate - see https://en.wikipedia.org/wiki/Wildcard_certificate

If you're using a CA authority then most will generate wildcard certificates for you. If you're using an internal CA or self-signed certificates then this link shows you how: https://serversforhackers.com/self-signed-ssl-certificates

In terms of using it for Hadoop, it is used in the same way as a regular certificate but you only have one certificate for all the services.

The main security issue with this is that if someone gets hold of the certificate they can install it on any host in your network that matches the domain in DNS (for example *.example.com) and get a valid certificate on that host.

View solution in original post

3 REPLIES 3

avatar
Expert Contributor

@Arpan Rajani Yes, you can use a wildcard certificate - see https://en.wikipedia.org/wiki/Wildcard_certificate

If you're using a CA authority then most will generate wildcard certificates for you. If you're using an internal CA or self-signed certificates then this link shows you how: https://serversforhackers.com/self-signed-ssl-certificates

In terms of using it for Hadoop, it is used in the same way as a regular certificate but you only have one certificate for all the services.

The main security issue with this is that if someone gets hold of the certificate they can install it on any host in your network that matches the domain in DNS (for example *.example.com) and get a valid certificate on that host.

avatar
Contributor

@Terry Stebbens Thanks Terry for quick response.

We are using third party CA. (Not the self signed ones).

Currently while generating the CSR we given Common Name = {hostname}

$hostname yields : abc-xyz-001.CompanyName.COM

Instead when we give CN = *.CompanyName.COM, do we need to to get a domain set up in DNS to handle this?

Thanks,

Arpan

avatar
Explorer

Yes, it’s possible to use a single SSL certificate across all hosts in your cluster, but it depends on how your domains are set up. If all hosts share the same base domain (like host1.example.com, host2.example.com), you can use a wildcard SSL or a multi-domain (SAN) SSL certificate that covers all hostnames. Install the same cert and key on each node. This avoids creating separate CSRs and renewals for every host. Just note that sharing one private key across multiple servers can be a small security risk if one host is compromised. Hope it helps!