Uploaded image for project: 'Kudu'
  1. Kudu
  2. KUDU-2401

External TLS certificate with Intermediate CA in server cert file fails

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.7.0
    • 1.8.0
    • security

    Description

      This was found while using Impala w/ KRPC with external PKI.

      Take 2 certificate files: cert.pem and truststore.pem

      cert.pem has 2 certificates in it:
      A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
      And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by CN=CertToolkitRootCA)

      truststore.pem has 1 certificate in it:
      A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)

      This format of certificates works with Impala on Thrift but it doesn't work with KRPC.

      Workaround for this issue w/ KRPC turned on:
      If we move the second certificate from cert.pem (CN=CertToolkitIntCA) into truststore.pem, then this seems to work.

      Also TODO: Add a test case that has multiple intermediate CAs. Right now we're testing with only one intermediate CA.

      Attachments

        Issue Links

          is depended upon by

          Bug - A problem which impairs or prevents the functions of the product. IMPALA-6806 TLS certificate with Intermediate CA in server cert file fails with KRPC

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Activity

            People

              sailesh Sailesh Mukil
              sailesh Sailesh Mukil
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: