question Re: Auto tls in Support Questions

Auto tls

mohammad_shamim — Tue, 21 Apr 2026 06:10:29 GMT

Hello All,

i have plan to renew the tls certificates for my prod cluster. I have already generated csr for all hosts and got the signed from my clients. Could you please share the steps for renewing. I gone through cloudera documentation but still having doubts. Can someone help. It would be much appreciated.

Re: Auto tls

ymprakash — Wed, 04 Mar 2026 03:12:31 GMT

Hi @mohammad_shamim

Thank you for reaching out to the Cloudera community.

Since you mentioned you have generated csr for all hosts, I am assuming you are using auto-tls use-case:3 (CA signed certificates)

You can renew the certificates using 2 methods.

1. generateCmca API

2. addCustomCerts API

Below is the documentation for renewing both the methods.

1. https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm-security-use-case-3.html#:~:text=Refer%20the%20example%20API%20given%20below.%20Customize%20this%20API%20to%20match%20the%20deployment%20that%20has%20been%20set%20up%20and%20then%20run%20the%20API.

2. https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encryption-reference/topics/security-rotate-auto-tls-ca-and-host-certificates.html#pnavId2

Please let me what doubts you have in the documentation.

Regards,

Re: Auto tls

mohammad_shamim — Mon, 09 Mar 2026 19:45:32 GMT

Still having doubts in addcustomcertapi and generatecmcaapi can you please help me on this. I have generated csi by using existing private and get the certa signed from client and prepare plan so what I need to us add or generate

Re: Auto tls

ymprakash — Sat, 14 Mar 2026 06:56:12 GMT

@mohammad_shamim Please use below sample curl command to renew the certs.

curl -i -v -uadmin:admin -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{
"location" : "/opt/cloudera/AutoTLS",
"customCA" : true,
"interpretAsFilenames" : true,
"cmHostCert" : "/tmp/auto-tls/certs/ccycloud-7.vcdp71.root.hwx.site.pem",
"cmHostKey" : "/tmp/auto-tls/keys/ccycloud-7.vcdp71.root.hwx.site-key.pem",
"caCert" : "/tmp/auto-tls/ca-certs/cfssl-chain-truststore.pem",
"keystorePasswd" : "/tmp/auto-tls/keys/key.pwd",
"truststorePasswd" : "/tmp/auto-tls/ca-certs/truststore.pwd",
"trustedCaCerts" : "/tmp/auto-tls/ca-certs.pem", //This is a path to a PEM file on the Cloudera Manager host which contains 
a list of CA certificates that should be imported into the truststores of all hosts. This is an optional field.
"hostCerts" : [ {
"hostname" : "ccycloud-7.vcdp71.root.hwx.site",
"certificate" : "/tmp/auto-tls/certs/ccycloud-7.vcdp71.root.hwx.site.pem",
"key" : "/tmp/auto-tls/keys/ccycloud-7.vcdp71.root.hwx.site-key.pem"
}, {
"hostname" : "ccycloud-3.vcdp71.root.hwx.site",
"certificate" : "/tmp/auto-tls/certs/ccycloud-3.vcdp71.root.hwx.site.pem",
"key" : "/tmp/auto-tls/keys/ccycloud-3.vcdp71.root.hwx.site-key.pem"
}, {
"hostname" : "ccycloud-2.vcdp71.root.hwx.site",
"certificate" : "/tmp/auto-tls/certs/ccycloud-3.vcdp71.root.hwx.site.pem",
"key" : "/tmp/auto-tls/keys/ccycloud-3.vcdp71.root.hwx.site-key.pem"
}, {
"hostname" : "ccycloud-1.vcdp71.root.hwx.site",
"certificate" : "/tmp/auto-tls/certs/ccycloud-1.vcdp71.root.hwx.site.pem",
"key" : "/tmp/auto-tls/keys/ccycloud-1.vcdp71.root.hwx.site-key.pem"
} ],
"configureAllServices" : "true",
"sshPort" : 22,
"userName" : "root",
"password" : "cloudera"
}' 'http://ccycloud-7.vcdp71.root.hwx.site:7180/api/v41/cm/commands/generateCmca' ////This link is valid if you have 
not enabled TLS in the Cloudera Manager UI. If you enable TLS for the same deployment in the Cloudera Manager UI later, 
the port number and the protocol changes for the API calls and for accessing the link from a browser. In such a scenario, 
the correct API call is as follows: https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/cm/commands/generateCmca.