[ https://issues.apache.org/jira/browse/KUDU-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sailesh Mukil updated KUDU-2401: -------------------------------- Description: This was found while using Impala w/ KRPC with external PKI. Take 2 certificate files: cert.pem and truststore.pem cert.pem has 2 certificates in it: A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA) truststore.pem has 1 certificate in it: A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) This format of certificates works with Impala on Thrift but it doesn't work with KRPC. Workaround for this issue w/ KRPC turned on: If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into truststore.pem, then this seems to work. Also TODO: Add a test case that has multiple intermediate CAs. Right now we're testing with only one intermediate CA. was: This was found while using Impala w/ KRPC with external PKI. Take 2 certificate files: cert.pem and truststore.pem cert.pem has 2 certificates in it: A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA) truststore.pem has 1 certificate in it: A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) This format of certificates works with Impala on Thrift but it doesn't work with KRPC. Workaround for this issue w/ KRPC turned on: If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into truststore.pem, then this seems to work. > External TLS certificate with Intermediate CA in server cert file fails > ----------------------------------------------------------------------- > > Key: KUDU-2401 > URL: https://issues.apache.org/jira/browse/KUDU-2401 > Project: Kudu > Issue Type: Bug > Components: security > Reporter: Sailesh Mukil > Assignee: Sailesh Mukil > Priority: Major > Labels: security, tls > > This was found while using Impala w/ KRPC with external PKI. > Take 2 certificate files: cert.pem and truststore.pem > cert.pem has 2 certificates in it: > A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) > And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by > CN=CertToolkitRootCA) > truststore.pem has 1 certificate in it: > A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) > This format of certificates works with Impala on Thrift but it doesn't work > with KRPC. > Workaround for this issue w/ KRPC turned on: > If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into > truststore.pem, then this seems to work. > Also TODO: Add a test case that has multiple intermediate CAs. Right now > we're testing with only one intermediate CA. -- This message was sent by Atlassian JIRA (v7.6.3#76005)