Support Questions
Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

"Enabling Server Certificate Verification on Cloudera Manager Agents" with self-signed certificates

If I am using self-signed certificates, how can I do "Enabling Server Certificate Verification on Cloudera Manager Agents" from



I do not have /opt/cloudera/security/pki/rootca.cert.pem. Instead I have on each host:




Should I copy /opt/cloudera/security/x509/<CM server hostname>.{pem,key} into /opt/cloudera/security/pki/rootca.cert.pem on each host?


What does the terminology mean: root certificate, intermediate certificate?


If I do not procede with TLS configuration any further, will I still be able to use Kerberos?




I guess, I can try to follow the instructions here

to create self-signed root certificate and use it to sign host certificates... 


It looks like there is also a way to do it with keytool


You could do that and create your own CA cert and then use that to sign your server certs.

You should be able to copy the CM self-sign certificate to each hosts and configure that as well. Just the cert, PEM file, not the key.

You will need to have this set up so that the Agents can talk to CM over TLS to move the keytabs around, if using the wizard. If you are not using the wizard you can still configure Kerberos and use it without going any further.

Super Guru

Hi @IgorYakushin,


To add to what @mbigelow mentioned, you can enable Kerberos without using TLS to secure communication between your agents and Cloudera Manager, but that would allow the kerberos keytabs to be transmitted from Cloudera Manager to your agents in the clear (risking a malicious party gaining access to your ketyab).


Most of the security you will likley need is taken care of by inabling TLS for Agent communication in this section:

Configuring TLS Encryption for Cloudera Manager Agents


This will encrypt communication when the agent gets the keytabs and other files from CM.


If you want more security by having the agents do verification of Cloudera Manager's certificate signer and hostname, then you can configure your trust file for each agent (to trust the CM signer).


In summary, you don't need to have TLS enabled to enable Kerberos.  If you need to protect the keytabs, enable TLS Encryption for Agents.

If you need higher security by having the agents trust the signer of the Cloudera Manager server certificate, you can proceed with the other steps: