Using a CA-Signed Certificate
To use a CA-signed certificate:
- Run the following command to create a self-signing rootCA and import the rootCA into the client truststore. This is a private key; it should be kept private. The following command creates a 2048-bit key: - openssl genrsa -out <clusterCA>.key 2048 
- Self-sign the rootCA. The following command signs for 300 days. It will start an interactive script that requests name and location information. - openssl req -x509 -new -key <clusterCA>.key -days 300 -out <clusterCA> 
- Import the rootCA into the client truststore: - keytool -importcert -alias <clusterCA> -file $clusterCA -keystore <clustertruststore> -storepass <clustertruststorekey> ![[Note]](../common/images/admon/note.png) - Note - Make sure that the - ssl-client.xmlfile on every host is configured to use this- $clustertruststore.- When configuring with Hive point to this file; when configuring other services install the certificate in the Java truststore. 
- For each host, sign the certreq file with the rootCA: - openssl x509 -req -CA $clusterCA.pem -CAkey <clusterCA>.key -in <host>.cert -out $host.signed -days 300 -CAcreateserial 
- On each host, import the rootCA and the signed cert back in: - keytool -keystore <hostkeystore> -storepass <hoststorekey> -alias <clusterCA> -import -file cluster1CA.pem keytool -keystore <hostkeystore> -storepass <hoststorekey> -alias `hostname -s` -import -file <host>.signed -keypass <hostkey> 

