Managing Certificate Authority certificates in Cloudera AI Workbenches

This topic describes how Administrators can manage Certificate Authority (CA) certificates within Cloudera AI Workbenches to enable secure connections to internal, certificate-protected endpoints.

In enterprise environments, internal endpoints, such as private Git repositories, Python package indexes (using pip), and internal HTTPS services, are frequently secured using self-signed or organization-specific CA certificates.

By default, Cloudera AI does not automatically trust these certificates. This lack of trust can lead to operational failures when performing critical actions, including:

Connecting to or cloning from internal Git repositories.
Installing packages using pip from private indexes.
Accessing internal HTTPS endpoints.
Loading AMP catalogs from internal sources.
Creating AMPs from private Git-based AMP repositories.

This feature provides a mechanism to establish secure, certificate-based trust for these protected endpoints at the workbench level. This feature allows you to upload CA certificates directly through the workbench UI and trigger a Refresh Certificate action to apply trust across relevant services.

To utilize CA certificates, you need to upload a valid certificate and then initiate a refresh. This action will propagate trust throughout the workbench. Each Workbench can store encoded certificate content up to 1 MB in size.

For secure connections, it is recommended to adhere to best practices by generating a private root CA with basic constraints set to CA:TRUE. Additionally, ensure that certificates for endpoints include an accurate Subject Alternative Name (SAN).

1. Uploading CA Certificates

Workbenches support multiple CA certificates, and you must upload them individually to the workbench. To upload the custom CA certificates to the workbench:

In the Cloudera console, click the Cloudera AI tile.
The Cloudera AI Workbenches page displays.
In the Cloudera AI Workbenchs page, click from the Actions menu next to the desired Cloudera AI Workbench.
Click View Details. The Cloudera AI Workbench Details page displays.
Scroll down to the CA Certificates section.
Upload the CA certificate content using one of the following methods. The certificate must be in a valid certificate format.:
1. File Upload: Select a valid certificate file to upload.
2. Direct Input: Copy and paste the valid certificate content as text into the field.
Click Upload.

2. Refreshing Certificates

warning

Downtime Operation

The Refresh Certificate action is a downtime operation. Similar to actions like upgrade, backup, or restore, this action will cause temporary downtime for the workbench as services restart in the background. It is expected that customers plan and start this action during planned maintenance windows to minimize user disruption.

The expected downtime for medium workloads is estimated to be 8 to 10 minutes, although this time may vary depending on cluster speed and load.

Certificate Persistence on Restore: Certificates and other workbench secrets are not persisted during a restore operation. For example, restoring a backup to a new workbench. You must re-upload and re-enter all required secrets and certificates into the newly restored workspace and trigger the Refresh Certificate action to re-establish trust.

In the Cloudera AI Workbench Details page, click the Actions menu.
Click Refresh Certificate.
Click Confirm to start the process.

Once triggered, the action picks up all uploaded certificates and ensures the workbench services trust the customer endpoints. You must recreate the existing workloads (sessions, jobs, applications, and models) if those workloads need to trust the newly applied certificates.