Cloudbreak contains mini KNOX which is not managed by Ambari. Below are the steps to replace Self Signed Certificate with CA Signed Certificates Step 1: Remove below two entries from /usr/hdp/current/knox-server/conf/gateway-site.xml and save it. <property> <name>gateway.signing.keystore.name</name> <value>signing.jks</value> </property> <property> <name>gateway.signing.key.alias</name> <value>signing-identity</value> </property> Step 2: Take a backup of original configuration: [~]$ cd /usr/hdp/current/knox-server/data/security/keystores/ [~]$ mkdir backup [~]$ mv __gateway-credentials.jceks gateway.jks backup/ Step 3: Create a keystore in PKCS12 format from your private key file, certificate, Intermediate certificate and root certificate [~]$ openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key -in <cert.cer> -certfile <root_intermediate>.cer -certfile <root_ca>.cer Step 4: Regenerate Master Key. Use the same password for master key and keystore. # rm -rf /usr/hdp/current/knox-server/data/security/master # ls -l /usr/hdp/current/knox-server/data/security/master # /usr/hdp/current/knox-server/bin/knoxcli.sh create-master Step 5: Generate Knox keystore [~]$ cp corp_cert_chain.pfx /usr/hdp/current/knox-server/data/security/keystores/ [~]$ cd /usr/hdp/current/knox-server/data/security/keystores/ [~]$ keytool -importkeystore -srckeystore corp_cert_chain.pfx -srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass <src-keystore-password> -deststorepass <knox-master-secret> -destkeypass <knox-master-secret> Step 6: Replace the alias of keystore keytool -changealias -alias "1" -destalias "gateway-identity" -keypass keypass -keystore gateway.jks-storepass storepass Step 7: Store the keystore password in jceks file [~]$ /usr/hdp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity-passphrase --value <knox-master-secret> Step 8: Restart Knox, you should see the below-highlighted lines in your knox logs [~]$ tail –f /var/log/knox/gateway.log ... View more