Before
CDP Private Cloud Base 7.1.9,
Ozone’s internal certificates expired after one year and CA certificates expired after
five years. When the certificates expire, you must manually renew and revoke them by
performing the following steps:
-
When the Ozone internal SSL certificates expire, you must remove
the existing key material and certificates from the services metadata
directory and allow the system to regenerate the certificates at startup. To
renew the internal certificates, see Procedure to force renew internal
certificates.
Since CDP Private Cloud Base 7.1.9, general
service certificates are renewed automatically without the need for a
restart or without causing any service disruptions. For more information,
see Release Notes.
-
CA certificates expire after 5 years. Cloudera Data Platform is working on the automatic renewal
of the CA certificates within the system without any disruption, similar to
the regular certificates. In case CA certificates expire, you need to follow
the same procedure that is required for certificate revocation.
To revoke a certificate, you must remove the full trust chain to
stop trusting a compromised certificate. For this, remove the SCM
certificates and any other certificates from the system. During the system
startup, new certificates are created and distributed. To revoke a
certificate, see Certificate revocation.