export JAVA_HOME=/usr/java/jdk1.8.0_121

sudo mkdir -p /opt/cloudera/security/pki 

root@master:/opt/cloudera/security/pki# $JAVA_HOME/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -dname "CN=$(hostname -f),OU=Engineering,O=Cloudera,L=Palo Alto,ST=California,C=US" -ext san=dns:$(hostname -f)
Enter keystore password:
Re-enter new password:
Enter key password for <master>
        (RETURN if same as keystore password):
Re-enter new password:

root@master:/opt/cloudera/security/pki# $JAVA_HOME/bin/keytool -certreq -alias $(hostname -f) -keystore /opt/cloudera/security/pki/$(hostname -f).jks -file /opt/cloudera/security/pki/$(hostname -f).csr -ext san=dns:$(hostname -f) -ext EKU=serverAuth,clientAuth
Enter keystore password:
root@master:/opt/cloudera/security/pki# ls
master.csr  master.jks

root@master:/opt/cloudera/security/pki# openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..................................+++
......................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

root@master:/opt/cloudera/security/pki# openssl req -new -key ca.key -out ca.csr
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Palo Alto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cloudera
Organizational Unit Name (eg, section) []:Engineering
Common Name (e.g. server FQDN or YOUR name) []:master
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

root@master:/opt/cloudera/security/pki# openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=US/ST=California/L=Palo Alto/O=Cloudera/OU=Engineering/CN=master
Getting Private key
Enter pass phrase for ca.key:

root@master:/opt/cloudera/security/pki# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in master.csr -out master.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 19 06:03:33 2022 GMT
            Not After : Jul 16 06:03:33 2032 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            organizationName          = Cloudera
            organizationalUnitName    = Engineering
            commonName                = master
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7F:4E:EC:8E:6D:44:9F:E2:63:65:6A:DC:86:A8:1B:35:20:AB:63:89
            X509v3 Authority Key Identifier:
                DirName:/C=US/ST=California/L=Palo Alto/O=Cloudera/OU=Engineering/CN=master
                serial:86:33:3F:52:47:19:6A:66

Certificate is to be certified until Jul 16 06:03:33 2032 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

mkdir -p ./demoCA/newcerts
touch ./demoCA/index.txt
echo "01" > ./demoCA/serial

/opt/cloudera/security/pki/$(hostname -f).pem

openssl x509 -in /opt/cloudera/security/pki/$(hostname -f).pem -noout -text