Rotate Auto-TLS Certificate Authority and Host Certificates

Your cluster security requirements may require that you rotate the auto-TLS CA and certificates.

Using an internal CA (Use case 1)

  1. Navigate to Administration > Security. Click Rotate Auto-TLS Certificates to launch the wizard.
  2. Complete the wizard.

Using a custom CA (Use case 3)

  1. Use the /cm/commands/addCustomCerts API command to replace the old certificates with new certificates in CMCA directory for each host. You must run this command for each host separately. An example of a curl command to upload the certificates to Cloudera Manager :
    curl -u admin:admin -X POST --header 'Content-Type:
                            application/json' --header 'Accept: application/json' -d '{
                            "location": "/opt/cloudera/AutoTLS",
                            "interpretAsFilenames": true,
                            "hostCerts": [ {
                            "hostname": "ccycloud-10.vcdp71.root.hwx.site",
                            "certificate":
                            "/tmp/auto-tls/certs/ccycloud-10.vcdp71.root.hwx.site.pem",
                            "key":
                            "/tmp/auto-tls/certs/ccycloud-10.vcdp71.root.hwx.site.pem"
                            } ]
                            }' 'https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/cm/commands/addCustomCerts'
    In the example above, the "location" should be omitted if Auto-TLS was enabled or rotated after 7.1, and the file paths should point to files on the CM server host.
  2. Use CM API /hosts/{hostId}/commands/generateHostCerts to deploy the new certificates to each host. You must run this command for each host separately. An example curl command :
    curl -u admin:admin -X POST --header 'Content-Type: application/json' --header 
                                'Accept: application/json' -d '{ "sshPort" : 22, "userName" : "root", "password" : "cloudera" }' 
                                'https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/hosts/250e1bb7-8987-419c-a53f-c852c275d299/commands/generateHostCerts' 
    where '250e1bb7-8987-419c-a53f-c852c275d299' in the command above is the hostID.