How to Add Root and Intermediate CAs to Truststore for TLS/SSL

If a signed certificate is from a certificate authority (CA) that does not have certificates in the truststore for whatever reason (internal CA or a public CA not included in the Java truststore, for example), you must explicitly establish trust for the CA, as detailed below. The content of the truststore for the Cloudera Manager Server cluster can be modified (certificates added, for example) without restarting the server. Changes to the truststore are adopted by the system within 10 seconds.

Explicit Trust for Certificates

Before importing the certificate into the keystore of the host system, you must load the root CAs and any intermediate CAs into the truststore.
  1. Copy the root and intermediate CA certificates to these locations on the Cloudera Manager Server host:
    /opt/cloudera/security/pki/rootca.cert.pem
    /opt/cloudera/security/pki/intca.cert.pem
    
    1. For concatenated files containing root CA and intermediate CA certificates, split the file between the END CERTIFICATE and BEGIN CERTIFICATE boundaries that separate each certificate in the file and make individual files instead.
    2. When extracting multiple intermediate CA certificates from a concatenated file, use unique file names such as intca-1.cert.pem, intca-1.cert.pem, and so on.
  2. Import the root CA certificate into the JDK truststore. If you do not have the $JAVA_HOME variable set, replace it with the path to the Oracle JDK.
    $ sudo keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts \
    -file /opt/cloudera/security/pki/rootca.cert.pem -storepass changeit
    The default password for the cacerts file is changeit (as shown in the above command). Cloudera recommends changing this password by running the keytool command:
    keytool -storepasswd -keystore $JAVA_HOME/jre/lib/security/cacerts
    
  3. Copy the jssecacerts file from the Cloudera Manager Server host to all other cluster hosts. Copy the file to the same location on each host using the path required by Oracle JDK, which is as follows:
    $JAVA_HOME/jre/lib/security/jssecacerts
    
  4. On the Cloudera Manager Server host, append the intermediate CA certificate to the signed server certificate. Be sure to use the append (>>) operator—not overwrite (>)—when executing the statement:
    $ sudo cat /opt/cloudera/security/pki/intca.cert.pem >> \
    /opt/cloudera/security/pki/$(hostname -f)-server.cert.pem