Managing certificates
There are two types of certificates within CDP that you must manage: public and private, also called host certificates.
- Public certificates are Let's Encrypt-issued certificates for Data Hub and Data Lake
clusters. These certificates are available on port 443 (HTTPS) of the cluster and are
responsible for enabling TLS in front of Knox and other available services on that port.
They are valid for 90 days, and in most circumstances CDP will renew these certificates
automatically before they expire. Note the following limitations in regards to automatic renewal of public certificates:
- Data Hub or Data Lake clusters created on or after March 7, 2022 are eligible for automatic renewal of public certificates. Clusters created before March 7, 2022, must be renewed manually once following the instructions in Manually renewing public certificates for Data Lake and Data Hub clusters. After the public certificate for a cluster has been manually renewed once from the CDP UI or CLI, it is eligible for automatic certificate renewal in the future.
- If an automatic renewal fails, the renewal service will retry the renewal for three consecutive days or three attempts. Any cluster that cannot be renewed by these retry attempts must be renewed manually through the CDP UI or CLI.
- The auto renewal service does not know the status of the cluster. If the cluster is down or performing another operation, the automatic renewal may fail and you should initiate the renewal from the UI or CLI manually.
- If the cluster is down during the renewal attempts and comes back up after the renewal retries are exhausted, automatic renewal will not happen for that cluster. The certificate has to renewed manually from the UI or CLI.
- If a public certificate expires, you’ll receive a warning that your connection is not secure when you attempt to access a Data Lake or Data Hub cluster through the CDP UI.
- Private certificates, or host certificates, are certificates created during cluster
provisioning for every host with Auto-TLS. Private/host certificates have a default
expiration date of one year. As private certificates get closer to expiration, the CDP UI
displays a warning that the certificate is about to expire.
Though the CDP UI displays a warning about the expiration of private/host certificates, you are still responsible for renewing them through the UI or CDP CLI. After the certificates expire, the cluster is not functional, so you must renew them before expiration.