Rotate Auto-TLS Certificate Authority and Host Certificates

Your cluster security requirements may require that you rotate the auto-TLS CA and certificates.

Using an internal CA (Use case 1)

Navigate to Administration > Security. Click Rotate Auto-TLS Certificates to launch the wizard.
Complete the wizard.

Using a custom CA (Use case 3)

Use the /cm/commands/addCustomCerts API command to replace the old certificates with new certificates in CMCA directory for each host. You must run this command for each host separately. An example of a curl command to upload the certificates to Cloudera Manager :

curl -u admin:admin -X POST --header 'Content-Type:
                        application/json' --header 'Accept: application/json' -d '{
                        "location": "/opt/cloudera/AutoTLS",
                        "interpretAsFilenames": true,
                        "hostCerts": [ {
                        "hostname": "ccycloud-10.vcdp71.root.hwx.site",
                        "certificate":
                        "/tmp/auto-tls/certs/ccycloud-10.vcdp71.root.hwx.site.pem",
                        "key":
                        "/tmp/auto-tls/certs/ccycloud-10.vcdp71.root.hwx.site.pem"
                        } ]
                        }' 'https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/cm/commands/addCustomCerts'

In the example above, the "location" should be omitted if Auto-TLS was enabled or rotated after 7.1, and the file paths should point to files on the CM server host.

Use CM API /hosts/{hostId}/commands/generateHostCerts to deploy the new certificates to each host. You must run this command for each host separately. An example curl command :
```
curl -u admin:admin -X POST --header 'Content-Type: application/json' --header 
                            'Accept: application/json' -d '{ "sshPort" : 22, "userName" : "root", "password" : "cloudera" }' 
                            'https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/hosts/250e1bb7-8987-419c-a53f-c852c275d299/commands/generateHostCerts' 
```
where '250e1bb7-8987-419c-a53f-c852c275d299' in the command above is the hostID.
note
Adding a new host in the Cloudera Manager Web UI that matches existing HostCerts entries in the database automatically runs the generateHostCerts step, so it is not necessary to perform it separately with an API call. However, for hosts that already exist in the Web UI, this action is not performed automatically and must be executed manually by running the generateHostCerts API call.

An alternate approach to achieve the above is to swap out any expiring or invalid certificates in the locations referenced by the latest generateCmca API call with valid ones. When all hosts are included in the hostCerts list (except for the cmHostCert and Key) and are pointing to valid certificates and keys, the generateCmca API call can be run again. Ensure that the URL is using https:// and port 7183, and that all certificates are using the exact same CA chain (same Intermediate CAs and Root).