Configure Greenplum Chorus with an SSL certificate.

Greenplum recommends that you configure Greenplum Chorus with an SSL certificate. There are several ways to do this, including setting up a web server in front

of Chorus, or installing the certificate on the load balancer.

To generate an SSL certificate with OpenSSL

Note: If you are using a self-signed certificate, your browser will prompt you with an untrusted SSL certificate warning

1. Generate an RSA private key

openssl genrsa -des3 -out server.key 1024

Use anything for your password that you will remember later.

2. Generate a Certificate Signing Request (CSR)

openssl req -new -key server.key -out server.csr

Respond to the questions as shown in the examples:

What is your first and last name?


Note: Enter the URL for Greenplum Chorus.

What is the name of your organizational unit?


Data and Insights

What is the name of your organization?



What is the name of your City or Locality?


San Mateo

What is the name of your State or Province?



What is the two-letter country code for this unit?



Is, OU=Data and Insights,

O=Greenplum, L=San Mateo, ST=California, C=US correct?



Enter key password for <chorus>

(RETURN if same as keystore password.)

3. Remove Passphrase from Key

cp server.key

openssl rsa -in -out server.key

Without this step you will need to type the password you created in Step 1 each time you start Chorus.

4. Generate a self-signed certificate from the CSR

Note: If you want an official SSL certificate (Greenplum recommended), submit this CSR to a signing authority such as Thawte or Verisign and continue to Step 5

when you have the certificate (.crt) file.

openssl x509 -req -days 365 -in server.csr -signkey

server.key -out server.crt

5. Install the Private Key and Certificate into Chorus 

Configure to point to the locations of your private key and certificate files:

ssl.enabled= true

ssl_server_port= 8443





Restart Chorus to apply the configuration.

Note: To run Chorus on port 443 (the default ssl port e.g. https://:443), Greenplum recommends that you set up a Web server proxy to Chorus.