Trino documentation includes description of access to Trino cluster secured by HTTPS protocol with load balancer, PEM and Java KeyStore files. PKCS #12 file is another option to implement HTTPS protocol. It is a binary format for storing a certificate chain and private key in a single, encryptable file with .p12 or .pfx extensions. The file format is always encrypted by a password. Depending on tools to generate a file, PKCS #12 file might be an intermediate one before getting a PEM file. It means one step can be skipped in creating of private keys.
1. Validate PKCS #12 file
openssl pkcs12 -info -in coordinator_key.pfx
2. Place file on coordinator
The location of the file can be any accessible by a Trino coordinator server process.
3. Add file to config.properties file
The configuration is deployable only to a coordinator.
4. Restart coordinator
To apply configuration, a cluster has to be restarted.
5. Validate configuration
Open Web UI or run Trino CLI.
6. Extract public certificate
In some cases, you might be interested in getting a public certificate. Also, it is an intermediate file to generate key store on the next step.
openssl pkcs12 -in coordinator_key.pfx -clcerts -nokeys -out public_certificate.crt
Follow steps in Export TLS/SSL Server Certificate from Internet Browser article.
7. Create keystore with public certificate
It is an optional step. A certificate might be used in tools or Java applications to access to a Trino cluster.
Make sure that a keystore file does not exist. The key store requests a password.
keytool -import -trustcacerts -file public_certificate.crt -alias mytrinocluster -keystore public_certificate.ks -storepass mypassword
8. Validate keystore
keytool -v -list -keystore public_certificate.ks -storepass mypassword