Updating the Control Plane certificates in Cloudera Data Engineering services

Learn about how to update the Control Plane certificates in Cloudera Data Engineering services.

When you create a Cloudera Data Engineering service, Cloudera Data Engineering automatically installs a self-signed TLS certificate. Do the following steps to update the TLS certificate for Cloudera Data Engineering services:

Cloudera Data Engineering UI
Cloudera Data Engineering API

In the Cloudera console, click the Data Engineering tile. The Cloudera Data Engineering Home page displays.
Click Administration in the left navigation menu. The Administration page displays.
In the Services column, select the service for which you want to update the TLS certificate and click Service Details.
Click on GRAFANA CHARTS and get the domain name.
Paste the URL into a text editor to identify the service domain.. For example, if the URL copied is https://service.cde-2cdxw5x5.apps.ecs-demo.example.com/grafana/d/sK1XDusZz/kubernetes, The service domain is https://service.cde-2cdxw5x5.apps.ecs-demo.example.com.
note
Currently in the case of ECS, the URL copied to your clipboard starts with http://, not https://. To use the URL, you must manually change this to https://. In the case of OCP, the link must start with https://.
Create your CA certificate and private key. Make sure that your CA certificate includes the Subject Alternative Names (SAN) for all relevant endpoints.
note
If you want to use a wildcard certificate, make sure that it includes the Subject Alternative Names (SAN) for all relevant endpoints.
- CN (Common Name): *.cde-2cdxw5x5.apps.ecs-demo.example.com
  note
  The common name must be less than or equal to 64 characters long.
- Domain name for the Service: service.cde-2cdxw5x5.apps.ecs-demo.example.com
Sign in to Cloudera Data Engineering as Service Admin. The Cloudera Data Engineering Home page displays.
Click Administration in the left navigation menu. The Administration page displays.
In the Services column, select the service for which you want to you want to update the TLS certificate and click Service Details.
Click TLS Certificate.
Click Upload Certificate.
Under PEM file, click Select File and select your TLS certificate.
Under Key file, click Select File and select your key file.
(Optional) If your key file is encrypted with a password, then enter the password in the Passphrase field.
Click Install Certificate.
Repeat the steps for all the relevant Services.

Perform the following steps to update the TLS certificate for Cloudera Data Engineering services:

Make sure that you are using the ServiceAdmin role and rotate Service level TLS Certificate.

cdpcurl -X PUT -k [***CDP_ENDPOINT***]/dex/api/v1/cluster/[***CLUSTER-ID***]/tls \
    -d '{
            "certificate_details": {
                "certificate": "[***BASE64-encoded.pem-FILE-CONTENT***]",
                "key": "[***BASE64-ENCODED-FILE-CONTENT***]",
                "passphrase": "[***BASE64-ENCODED-PASSPHRASE-FOR-THE-KEY***]"
            }
        }' \
    --access_key [***ACCESS-KEY***] \
    --private_key [***PRIVATE-KEY***]

Make sure that you are using at least a ServiceUser role and view Service level TLS Certificate information.
```
cdpcurl -X GET '[***CDP_ENDPOINT***]/dex/api/v1/cluster/[***CLUSTER-ID***]/tls' \
-d '{}' \
    --access_key [***ACCESS-KEY***] \
    --private_key [***PRIVATE-KEY***]
```
important
- To generate an API access key, see Generating an API access key.
- For more information about cdpcurl command, see cdpcurl page.
- Use -k in the command only if your Cloudera Data Services on premises certificate is not trusted on your machine.