Cloudera Docs

Managing public and private certificates

There are two types of certificates within Cloudera that you must manage: public and private, also called host certificates.

  • Public certificates are Let's Encrypt-issued certificates for Cloudera Data Hub and Data Lake clusters. These certificates are available on port 443 (HTTPS) of the cluster and are responsible for enabling TLS in front of Knox and other available services on that port. They are valid for 90 days, and in most circumstances Cloudera will renew these certificates automatically before they expire.
    Note the following limitations in regards to automatic renewal of public certificates:
    • Cloudera Data Hub or Data Lake clusters created on or after March 7, 2022 are eligible for automatic renewal of public certificates. Clusters created before March 7, 2022, must be renewed manually once following the instructions in Manually renewing public certificates for Data Lake and Cloudera Data Hub clusters. After the public certificate for a cluster has been manually renewed once from the Cloudera UI or CDP CLI, it is eligible for automatic certificate renewal in the future.
    • If an automatic renewal fails, the renewal service will retry the renewal for three consecutive days or three attempts. Any cluster that cannot be renewed by these retry attempts must be renewed manually through the Cloudera UI or CDP CLI.
    • The automatic renewal is tried three times: on the 69th, 72nd and 78th day after the certificate creation date. For example, if a certificate is getting expired on September 24th, 2022, the renewal will be tried in the following sequence:
      • First renewal: September 3rd, 2022 2:00 A.M.
      • Second renewal: September 6th, 2022 2:00 A.M.
      • Third renewal: September 12th, 2022 2:00 A.M.
      In case the renewal is successful on the first attempt, the renewal will not be tried again.
    • Renewal of the certificates happens at 2 A.M. of the Cloudera Control Plane time. If the Cloudera Control Plane is in the United States region, the renewal starts at 2 A.M. Pacific Daylight Time (PDT). If the Cloudera Control Plane is in the European region, the renewal starts at 2 A.M. Central European Summer Time (CEST). If the Cloudera Control Plane is in the East-Asian and Pacific region, the renewal starts at 2 A.M. Australian Eastern Standard Time (AEST).
    • The auto renewal service does not know the status of the cluster. If the cluster is down or performing another operation, the automatic renewal may fail and you should initiate the renewal from the UI or CLI manually. Certificate renewal will not happen if the Cloudera Data Hub and Data Lake clusters or the environment has a Stopped state.
    • If the cluster is down during the renewal attempts and comes back up after the renewal retries are exhausted, automatic renewal will not happen for that cluster. The certificate has to be renewed manually from the UI or CLI.
    • If a public certificate expires, you’ll receive a warning that your connection is not secure when you attempt to access a Data Lake or Cloudera Data Hub cluster through the Cloudera UI.
    See Manually renewing public certificates for Data Lake and Cloudera Data Hub clusters for instructions on renewing the public certificates manually.
  • Private certificates, or host certificates, are certificates created during cluster provisioning for every host with Auto-TLS. Private/host certificates have a default expiration date of one year. As private certificates get closer to expiration, the Cloudera UI displays a warning that the certificate is about to expire.

Though the Cloudera UI displays a warning about the expiration of private/host certificates, you are still responsible for renewing them through the UI or CDP CLI. After the certificates expire, the cluster is not functional, so you must renew them before expiration.