Amazon EMR
Amazon EMR Release Guide

Providing Certificates for In-Transit Data Encryption with Amazon EMR Encryption

For in-transit data encryption, you have to two options to specify the artifacts used for encryption:

  • You can manually create PEM certificates, include them in a zip file, and then reference the zip file in Amazon S3.

  • You can implement a custom certificate provider as a Java class. You specify the JAR file of the application in Amazon S3, and then provide the full class name of the provider as declared in the application. The class must implement the TLSArtifactsProvider interface available beginning with AWS SDK for Java version 1.11.0.

Amazon EMR automatically downloads artifacts to each node in the cluster and later uses them to implement the open-source, in-transit encryption features. For more information about available options, see In-Transit Data Encryption.

Using PEM Certificates

When you specify a zip file for in-transit encryption, the security configuration expects PEM files within the zip file to be named exactly as they appear below:

In-transit encryption certificates

File name Required/optional Details
privateKey.pem Required Private key
certificateChain.pem Required Certificate chain
trustedCertificates.pem Optional Required if the provided certificate is signed neither by the Java default trusted root certification authority (CA) nor an intermediate CA that can link to the Java default trusted root CA. The Java default trusted root CAs can be found in jre/lib/security/cacerts.

You likely want to configure the private key PEM file to be a wildcard certificate that enables access to the Amazon VPC domain in which your cluster instances reside. For example, if your cluster resides in us-east-1, you may choose to specify a common name in the certificate configuration that allows access to the cluster by specifying CN=*.ec2.internal in the certificate subject definition. For more information about Amazon EMR cluster configuration within Amazon VPC, see Select an Amazon VPC Subnet for the Cluster.

The following example demonstrates how to use OpenSSL to generate a self-signed X.509 certificate with a 1024-bit RSA private key that allows access to the issuer's Amazon EMR cluster instances in the US East (N. Virginia) region. This is identified by the *.ec2.internal domain name as the common name. Other optional subject items—such as country (C), state (S), Locale (L), etc.—are specified. Because a self-signed certificate is generated, the example then copies the certificateChain.pem file to the trustedCertificates.pem file. The zip command is then used to create the file that contains the certificates.


This example is a proof-of-concept demonstration only. Using self-signed certificates is not recommended and presents a potential security risk. For production systems, use a trusted certification authority (CA) to issue certificates.

$ openssl req -x509 -newkey rsa:1024 -keyout privateKey.pem -out certificateChain.pem -days 365 -nodes -subj '/C=US/S=Washington/L=Seattle/O=MyOrg/OU=MyDept/CN=*.ec2.internal' $ cp certificateChain.pem trustedCertificates.pem $ zip -r -X certificateChain.pem privateKey.pem trustedCertificates.pem

Using a Custom Certificate Provider

Custom certificate providers must implement the TLSArtifacts provider interface.