There are two types of certificates within CDP that you must manage: public and private, also called host certificates.
- Public certificates are Let's Encrypt-issued certificates for Data Hub and Data Lake clusters. These certificates are available on port 443 (HTTPS) of the cluster and responsible for enabling TLS in front of Knox and other available services on that port. They are valid for 90 days, and CDP does not give an automated warning message about the expiration of public certificates.
- Private certificates, or host certificates, are certificates created during cluster provisioning for every host with Auto-TLS. Private/host certificates have a default expiration date of one year. As private certificates get closer to expiration, the CDP UI displays a warning that the certificate is about to expire.
Though the CDP UI displays a warning about the expiration of private/host certificates, you are still responsible for renewing them through the UI or CDP CLI. After the certificates expire, the cluster is not functional, so you must renew them before expiration.
Public certificates must be renewed every 90 days and you are responsible for monitoring their expiration date. If a public certificate expires, you’ll receive a warning that your connection is not secure when you attempt to access a Data Lake or Data Hub cluster through the CDP UI.