[jira] [Updated] (KUDU-2401) External TLS certificate with Intermediate CA in server cert file fails
[ https://issues.apache.org/jira/browse/KUDU-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adar Dembo updated KUDU-2401: - Fix Version/s: (was: 1.7.1) 1.8.0 > External TLS certificate with Intermediate CA in server cert file fails > --- > > Key: KUDU-2401 > URL: https://issues.apache.org/jira/browse/KUDU-2401 > Project: Kudu > Issue Type: Bug > Components: security >Reporter: Sailesh Mukil >Assignee: Sailesh Mukil >Priority: Major > Labels: security, tls > Fix For: 1.8.0 > > > This was found while using Impala w/ KRPC with external PKI. > Take 2 certificate files: cert.pem and truststore.pem > cert.pem has 2 certificates in it: > A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) > And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by > CN=CertToolkitRootCA) > truststore.pem has 1 certificate in it: > A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) > This format of certificates works with Impala on Thrift but it doesn't work > with KRPC. > Workaround for this issue w/ KRPC turned on: > If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into > truststore.pem, then this seems to work. > Also TODO: Add a test case that has multiple intermediate CAs. Right now > we're testing with only one intermediate CA. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KUDU-2401) External TLS certificate with Intermediate CA in server cert file fails
[ https://issues.apache.org/jira/browse/KUDU-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adar Dembo updated KUDU-2401: - Affects Version/s: 1.7.0 > External TLS certificate with Intermediate CA in server cert file fails > --- > > Key: KUDU-2401 > URL: https://issues.apache.org/jira/browse/KUDU-2401 > Project: Kudu > Issue Type: Bug > Components: security >Affects Versions: 1.7.0 >Reporter: Sailesh Mukil >Assignee: Sailesh Mukil >Priority: Major > Labels: security, tls > Fix For: 1.8.0 > > > This was found while using Impala w/ KRPC with external PKI. > Take 2 certificate files: cert.pem and truststore.pem > cert.pem has 2 certificates in it: > A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) > And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by > CN=CertToolkitRootCA) > truststore.pem has 1 certificate in it: > A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) > This format of certificates works with Impala on Thrift but it doesn't work > with KRPC. > Workaround for this issue w/ KRPC turned on: > If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into > truststore.pem, then this seems to work. > Also TODO: Add a test case that has multiple intermediate CAs. Right now > we're testing with only one intermediate CA. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KUDU-2401) External TLS certificate with Intermediate CA in server cert file fails
[ https://issues.apache.org/jira/browse/KUDU-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sailesh Mukil updated KUDU-2401: Description: This was found while using Impala w/ KRPC with external PKI. Take 2 certificate files: cert.pem and truststore.pem cert.pem has 2 certificates in it: A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA) truststore.pem has 1 certificate in it: A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) This format of certificates works with Impala on Thrift but it doesn't work with KRPC. Workaround for this issue w/ KRPC turned on: If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into truststore.pem, then this seems to work. Also TODO: Add a test case that has multiple intermediate CAs. Right now we're testing with only one intermediate CA. was: This was found while using Impala w/ KRPC with external PKI. Take 2 certificate files: cert.pem and truststore.pem cert.pem has 2 certificates in it: A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA) truststore.pem has 1 certificate in it: A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) This format of certificates works with Impala on Thrift but it doesn't work with KRPC. Workaround for this issue w/ KRPC turned on: If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into truststore.pem, then this seems to work. > External TLS certificate with Intermediate CA in server cert file fails > --- > > Key: KUDU-2401 > URL: https://issues.apache.org/jira/browse/KUDU-2401 > Project: Kudu > Issue Type: Bug > Components: security >Reporter: Sailesh Mukil >Assignee: Sailesh Mukil >Priority: Major > Labels: security, tls > > This was found while using Impala w/ KRPC with external PKI. > Take 2 certificate files: cert.pem and truststore.pem > cert.pem has 2 certificates in it: > A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA) > And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by > CN=CertToolkitRootCA) > truststore.pem has 1 certificate in it: > A cert which is the root CA (with CN=CertToolkitRootCA, self-signed) > This format of certificates works with Impala on Thrift but it doesn't work > with KRPC. > Workaround for this issue w/ KRPC turned on: > If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into > truststore.pem, then this seems to work. > Also TODO: Add a test case that has multiple intermediate CAs. Right now > we're testing with only one intermediate CA. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
