Cloudera Docs

Managing certificates

There are two types of certificates within CDP that you must manage: public and private, also called host certificates.

  • Public certificates are Let's Encrypt-issued certificates for Data Hub and Data Lake clusters. These certificates are available on port 443 (HTTPS) of the cluster and are responsible for enabling TLS in front of Knox and other available services on that port. They are valid for 90 days, and in most circumstances CDP will renew these certificates automatically before they expire.
    Note the following limitations in regards to automatic renewal of public certificates:
    • Data Hub or Data Lake clusters created on or after March 7, 2022 are eligible for automatic renewal of public certificates. Clusters created before March 7, 2022, must be renewed manually once following the instructions in Manually renewing public certificates for Data Lake and Data Hub clusters. After the public certificate for a cluster has been manually renewed once from the CDP UI or CLI, it is eligible for automatic certificate renewal in the future.
    • If an automatic renewal fails, the renewal service will retry the renewal for three consecutive days or three attempts. Any cluster that cannot be renewed by these retry attempts must be renewed manually through the CDP UI or CLI.
    • The automatic renewal is tried three times: on the 69th, 72nd and 78th day after the certificate creation date. For example, if a certificate is getting expired on September 24th, 2022, the renewal will be tried in the following sequence:
      • First renewal: September 3rd, 2022 2:00 A.M.
      • Second renewal: September 6th, 2022 2:00 A.M.
      • Third renewal: September 12th, 2022 2:00 A.M.
      In case the renewal is successful on the first attempt, the renewal will not be tried again.
    • Renewal of the certificates happens at 2 A.M. of the Control Plane time. If the Control Plane is in the United States region, the renewal starts at 2 A.M. Pacific Daylight Time (PDT). If the Control Plane is in the European region, the renewal starts at 2 A.M. Central European Summer Time (CEST). If the Control Plane is in the East-Asian and Pacific region, the renewal starts at 2 A.M. Australian Eastern Standard Time (AEST).
    • The auto renewal service does not know the status of the cluster. If the cluster is down or performing another operation, the automatic renewal may fail and you should initiate the renewal from the UI or CLI manually. Certificate renewal will not happen if the Data Hub and Data Lake clusters or the Public Cloud environment has a Stopped state.
    • If the cluster is down during the renewal attempts and comes back up after the renewal retries are exhausted, automatic renewal will not happen for that cluster. The certificate has to be renewed manually from the UI or CLI.
    • If a public certificate expires, you’ll receive a warning that your connection is not secure when you attempt to access a Data Lake or Data Hub cluster through the CDP UI.
    See Manually renewing public certificates for Data Lake and Data Hub clusters for instructions on renewing the public certificates manually.
  • Private certificates, or host certificates, are certificates created during cluster provisioning for every host with Auto-TLS. Private/host certificates have a default expiration date of one year. As private certificates get closer to expiration, the CDP UI displays a warning that the certificate is about to expire.

Though the CDP UI displays a warning about the expiration of private/host certificates, you are still responsible for renewing them through the UI or CDP CLI. After the certificates expire, the cluster is not functional, so you must renew them before expiration.