Updating TLS certificates

From the Cloudera Management Console of your Cloudera Private Cloud deployment, you can update the CA certificate that issued the TLS certificates used by Cloudera to establish secure connections with different types of services and workloads, such as the ingress controller certificate. For specified services, you can update the certificates whenever you rotate them.

You must ensure that all the services for which you want to update the certificates are TLS-enabled.

Sign in to the Cloudera console.
Click Cloudera Management Console.
On the Cloudera Management Console home page, select Administration>CA Certificates.
From the CA Certificate Type dropdown list, select the type of service for which you want to upload a new TLS certificate.
You can select from the following options for the types of secure connections:
- Datalake: For secure connections with the Cloudera Private Cloud Base cluster services and Cloudera Manager.
- Docker Registry: For a secure connection with the Docker Container registry containing the images for deployment.
- External Database: For a secure connection with an external PostgreSQL database.
- External Vault: For a secure connection with an external vault.
- Miscellaneous: For a secure connection with services used during the installation and run time of Cloudera. For example, Custom Ingress, Custom Kubernetes API, and so on.
  important
  If your Cloudera Private Cloud deployment uses an external vault, then after updating the certificates for these services, you must reconfigure the certificates with the vault to ensure that it validates the certificates. For more information, see Updating custom certificates
Select the option to either browse and upload a certificate or directly enter the certificate details.

important
The certificate must be in the X.509 PEM format and structured as follows:
----BEGIN CERTIFICATE-----..-----END CERTIFICATE-----.