Use case 1: Use CM to generate an internal CA and corresponding certificates

The simplest option is to let Cloudera Manager create and manage its own Certificate Authority.

To choose this option, from Cloudera Manager go to Administration > Security > (Status tab) > Enable Auto-TLS and complete the wizard.
You will be prompted to start the Cloudera Manager, followed by Cloudera management services and any impacted clusters. When you start the Cloudera Manager server, you should see the UI at the TLS port 7183 by default. The browser will show a self-signed certificate from the SCM Local CA authority, as shown below. The browser shows a warning because it is not aware of the Root CA generated by CM. When the Root CA is imported into the client browser’s truststore, this warning will not be shown by the browser.
When you set up the cluster, you should see a message stating that Auto-TLS is already enabled. Continue to install the required services. Voila! The whole cluster is TLS encrypted. Any new hosts or services are automatically configured. Here is an example of HDFS service with TLS encryption enabled by default (after trusting the root certificate generated by Cloudera Manager).
While this option is the simplest, it may not be suitable for some enterprise deployments where TLS certificates are issued by the company’s existing Certificate Authority (CA) to maintain a centralized chain of trust.