Cloudera Docs

Decryption Key and Encryption Certificate rotation

Here are the steps you should follow to avoid any down time during the key and certificate rotation:

  1. Generate a new Private Key for decrypting SAML assertion and a corresponding certificate for encrypting assertion.
  2. Upload this new private key as the Next private key for decrypting SAML assertions field in the Cloudera Management Console.
  3. Upload the certificate as the Certificate for Encrypting SAML Responses field in the Cloudera Management Console.
  4. Click Update Authentication Settings.
  5. Get the latest SAML Service Provider Metadata from the Cloudera Management Console. This should now have the new “encryption” certificate.
  6. Upload this service provider metadata to your actual Identity Provider, so that Identity Provider now starts encrypting SAML assertions with the new certificate.
  7. Once the IdP begins using the new encryption certificate:
    1. Upload the new Private key in the Cloudera Management Console as the Current Private Key for Decrypting SAML Assertions.
    2. Remove the Next Private Key for Decrypting SAML Assertions by clicking the Remove button next to it or by entering an empty string.
    3. Click Update Authentication Settings to finalize the key rotation.