Skip to content

TLS Certificates

Danger

The certificates generated in this guide should only be used for proof-of-concept or testing deployments. These certificates should not be used in production.

Audience: System Administrators

Content Summary: If you do not have TLS certificates available for your Immuta hostnames, you can use this guide to generate a Certificate Authority and corresponding certificates for the Immuta Metadata database, Query Engine, and Web Service.

Note: These certificates should not be considered a secure replacement for certificates signed by a trusted Certificate Authority, and therefore should not be used in a production deployment of Immuta. These certificates should only be used for proof-of-concept deployments if certificates signed by a trusted CA are not available.

Generate TLS Certificates

The commands below are meant to be run on each node of the Immuta instance.

  1. Export the variables below.

    export IMMUTA_HOSTNAME=`hostname`
    export IMMUTA_HOME=/etc/immuta
    
  2. Run the commands below. Note that openssl is required.

    OUT_DIR="${IMMUTA_HOME}/tls"
    mkdir -p "${OUT_DIR}"
    
    openssl req -new -sha256 -nodes -days 1024 -newkey rsa:2048 -x509 \
        -out "${OUT_DIR}/immuta-ca.crt" -keyout "${OUT_DIR}/immuta-ca.key" \
        -config <(
    cat <<-EOF
    [req]
    prompt = no
    extensions = req_ext
    distinguished_name = dn
    [dn]
    C=US
    ST=Maryland
    L=College Park
    O=Immuta
    OU=Immuta Deployment
    CN = Immuta CA for RPM Deployments
    [req_ext]
    basicConstraints = CA:TRUE
    keyUsage = digitalSignature, keyEncipherment
    EOF
    )
    
    openssl req -new -sha256 -nodes -newkey rsa:2048 \
     -out "${OUT_DIR}/immuta.csr" -keyout "${OUT_DIR}/immuta.key" \
     -config <(
    cat <<-EOF
    [req]
    prompt = no
    distinguished_name = dn
    [dn]
    C=US
    ST=Maryland
    L=College Park
    O=Immuta
    OU=Immuta Deployment
    CN = ${IMMUTA_HOSTNAME}
    EOF
    )
    
    openssl x509 -req -in "${OUT_DIR}/immuta.csr" -CA "${OUT_DIR}/immuta-ca.crt" \
        -CAkey "${OUT_DIR}/immuta-ca.key" \
        -CAserial "${OUT_DIR}/immuta-ca.srl" \
        -CAcreateserial \
        -out "${OUT_DIR}/immuta.crt" \
        -days 1024 -sha256 \
        -extfile <(cat <<-EOF
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment
    subjectAltName = @san
    [san]
    DNS.1 = ${IMMUTA_HOSTNAME}
    EOF
    )
    

Note: By default this CA and certificate will be valid for 3 years. To increase or decrease the validity period, change all occurrences of 1024.

If you have certificates that are valid for IMMUTA_HOSTNAME and are signed by a Certificate Authority that your users trust, copy the certificate and key into the correct place for the external certificates.