Configuring cluster issuer for Certificate Manager

A third-party Certificate Manager is installed by default as part of the Cloudera Embedded Container Service installation. Learn how you can configure cluster issuers with the appropriate annotations to enable the use of certificate manager in Cloudera Data Warehouse.

It is recommended that you configure the certification manager before creating any Database Catalogs or Virtual Warehouses in Cloudera Data Warehouse. For installing a cluster issuer, see Setting up Certification Manager using Venafi TPP. To validate if there is a valid cluster issuer, see the following rules:

The cluster issuer must have the following annotation: issuer.cdp.cloudera.com/type=longlived
The cluster issuer must have the label set as follows: issuer.cdp.cloudera.com/project=[***CDP_NAMESPACE***]

Alternatively, you can configure the certificate duration by setting the issuer.cdp.cloudera.com/duration annotation in the cluster issuer. The data service applies the specified duration for all certificate requests. For example, to configure a certificate duration of 6 months, set issuer.cdp.cloudera.com/duration=4380h.

By default, certificate manager requests certificates with a 90-day expiration and automatically renews them when they are 2/3 of the way through their validity period. This means certificates are renewed after 60 days. If the certificate expiration is modified to 1 year, the certificate manager will renew the certificate after 8 months.

note

It is recommended to create a unique and valid cluster issuer following the preceding rules.
If the cluster issuer is not in a ready state, the Kubernetes cluster-level certificate is used, which may result in certificate errors in the browser.
If the certification manager related settings are modified in any way, you must rebuild the Database Catalog, Virtual Warehouses, Hue, and the Cloudera Data Visualization instance. A Refresh operation does not recreate or request the certificates.
When the Certification Manager is enabled, the trust store file provided by the Cloudera Data Warehouse becomes invalid for connecting to Beeline.
You can fetch a trust store file from the Cloudera Data Warehouse UI to configure TLS and connect to Beeline. For instructions on downloading the trust store file, see Downloading root certificates from Cloudera Data Warehouse web UI.
However, when the certification manager is enabled, Cloudera Data Warehouse continues to provide the same trust store file, even though the Hive cluster uses a different certificate. The issue arises because Cloudera Data Warehouse cannot provide a trust store compatible with the configured certificate issuer.
To resolve this issue, use your own certificate authority and set up a trust store on your system. You can do this by fetching the public key of the root CA (in .pem or .crt format), and then creating a new trust store using the following command:
```
keytool -importcert -trustcacerts -file rootca.pem -alias rootca -keystore truststore.jks -storepass changeit
```