Rotate Auto-TLS Certificate Authority and Host Certificates
Your cluster security requirements may require that you rotate the auto-TLS CA and certificates.
Using an internal CA (Use case 1)
- Navigate to Rotate Auto-TLS Certificates to launch the wizard. . Click
- Complete the wizard.
Using a custom CA (Use case 3)
- Use the /cm/commands/addCustomCerts API command to replace the old
certificates with new certificates in CMCA directory for each host. You must run this
command for each host separately. An example of a curl command to upload the
certificates to Cloudera Manager :
In the example above, the "location" should be omitted if Auto-TLS was enabled or rotated after 7.1, and the file paths should point to files on the CM server host.curl -u admin:admin -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "location": "/opt/cloudera/AutoTLS", "interpretAsFilenames": true, "hostCerts": [ { "hostname": "ccycloud-10.vcdp71.root.hwx.site", "certificate": "/tmp/auto-tls/certs/ccycloud-10.vcdp71.root.hwx.site.pem", "key": "/tmp/auto-tls/certs/ccycloud-10.vcdp71.root.hwx.site.pem" } ] }' 'https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/cm/commands/addCustomCerts'
-
Use CM API /hosts/{hostId}/commands/generateHostCerts to deploy the new certificates to each host. You must run this command for each host separately. An example curl command :
where '250e1bb7-8987-419c-a53f-c852c275d299' in the command above is the hostID.curl -u admin:admin -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "sshPort" : 22, "userName" : "root", "password" : "cloudera" }' 'https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/hosts/250e1bb7-8987-419c-a53f-c852c275d299/commands/generateHostCerts'