Before CDP 7.1.9, Ozone’s internal certificates expired after one
year and CA certificates expired after five years. When the certificates expire, you
must manually renew and revoke them by performing the following steps:
When the Ozone internal SSL certificates expire, you must remove
the existing key material and certificates from the services metadata
directory and allow the system to regenerate the certificates at startup. To
renew the internal certificates, see Procedure to force renew internal
Since CDP 7.1.9, general service certificates are renewed automatically
without the need for a restart or without causing any service disruptions.
For more information, see Release Notes.
CA certificates expire after 5 years. Cloudera is working on the
automatic renewal of the CA certificates within the system without any
disruption, similar to the regular certificates. In case CA certificates
expire, you need to follow the same procedure that is required for
To revoke a certificate, you must remove the full trust chain to
stop trusting a compromised certificate. For this, remove the SCM
certificates and any other certificates from the system. During the system
startup, new certificates are created and distributed. To revoke a
certificate, see Certificate revocation.