[
https://issues.apache.org/jira/browse/KUDU-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16427638#comment-16427638
]
Mike Yoder commented on KUDU-2401:
--
The workaround isn't acceptable for the long term. The way it's supposed to
work is that
* The client sends its cert and all the intermediate certs up to but not
including the root
* The server has the root (and not intermediates)
I wouldn't say that this is a certificate "format" issue but rather a
who-has-what certificate issue.
> External TLS certificate with Intermediate CA in server cert file fails
> ---
>
> Key: KUDU-2401
> URL: https://issues.apache.org/jira/browse/KUDU-2401
> Project: Kudu
> Issue Type: Bug
> Components: security
>Reporter: Sailesh Mukil
>Assignee: Sailesh Mukil
>Priority: Major
> Labels: security, tls
>
> This was found while using Impala w/ KRPC with external PKI.
> Take 2 certificate files: cert.pem and truststore.pem
> cert.pem has 2 certificates in it:
> A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
> And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by
> CN=CertToolkitRootCA)
> truststore.pem has 1 certificate in it:
> A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)
> This format of certificates works with Impala on Thrift but it doesn't work
> with KRPC.
> Workaround for this issue w/ KRPC turned on:
> If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into
> truststore.pem, then this seems to work.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
