Skip to content

You are viewing documentation for Immuta version 2.8.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

cancel

TLS Certificates

Danger

The certificates generated in this guide should only be used for proof-of-concept or testing deployments. These certificates should not be used in production.

Audience: System Administrators

Content Summary: If you do not have TLS certificates available for your Immuta hostnames, you can use this guide to generate a Certificate Authority and corresponding certificates for the Immuta Metadata database, Query Engine, and Web Service.

Note: These certificates should not be considered a secure replacement for certificates signed by a trusted Certificate Authority, and therefore should not be used in a production deployment of Immuta. These certificates should only be used for proof-of-concept deployments if certificates signed by a trusted CA are not available.

Generate TLS Certificates

The commands below are meant to be run on each node of the Immuta instance.

  1. Export the variables below.

    export IMMUTA_HOSTNAME=`hostname`
export IMMUTA_HOME=/etc/immuta

  2. Run the commands below. Note that openssl is required.

    OUT_DIR="${IMMUTA_HOME}/tls"
mkdir -p "${OUT_DIR}"

openssl req -new -sha256 -nodes -days 1024 -newkey rsa:2048 -x509 \
    -out "${OUT_DIR}/immuta-ca.crt" -keyout "${OUT_DIR}/immuta-ca.key" \
    -config <(
cat <<-EOF
[req]
prompt = no
extensions = req_ext
distinguished_name = dn
[dn]
C=US
ST=Maryland
L=College Park
O=Immuta
OU=Immuta Deployment
CN = Immuta CA for RPM Deployments
[req_ext]
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment
EOF
)

openssl req -new -sha256 -nodes -newkey rsa:2048 \
    -out "${OUT_DIR}/immuta.csr" -keyout "${OUT_DIR}/immuta.key" \
    -config <(
cat <<-EOF
[req]
prompt = no
distinguished_name = dn
[dn]
C=US
ST=Maryland
L=College Park
O=Immuta
OU=Immuta Deployment
CN = ${IMMUTA_HOSTNAME}
EOF
)

openssl x509 -req -in "${OUT_DIR}/immuta.csr" -CA "${OUT_DIR}/immuta-ca.crt" \
    -CAkey "${OUT_DIR}/immuta-ca.key" \
    -CAserial "${OUT_DIR}/immuta-ca.srl" \
    -CAcreateserial \
    -out "${OUT_DIR}/immuta.crt" \
    -days 1024 -sha256 \
    -extfile <(cat <<-EOF
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @san
[san]
DNS.1 = ${IMMUTA_HOSTNAME}
EOF
)

Note: By default this CA and certificate will be valid for 3 years. To increase or decrease the validity period, change all occurrences of 1024.

If you have certificates that are valid for IMMUTA_HOSTNAME and are signed by a Certificate Authority that your users trust, copy the certificate and key into the correct place for the external certificates.