Support Questions

GrazittiAPI · ‎03-03-2026

Hello All,

i have plan to renew the tls certificates for my prod cluster. I have already generated csr for all hosts and got the signed from my clients. Could you please share the steps for renewing. I gone through cloudera documentation but still having doubts. Can someone help. It would be much appreciated.

ymprakash · ‎03-03-2026

Hi @mohammad_shamim

Thank you for reaching out to the Cloudera community.

Since you mentioned you have generated csr for all hosts, I am assuming you are using auto-tls use-case:3 (CA signed certificates)

You can renew the certificates using 2 methods.

1. generateCmca API

2. addCustomCerts API

Below is the documentation for renewing both the methods.

1. https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm....

2. https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encryption-reference/topics/security...

Please let me what doubts you have in the documentation.

Regards,

JP

mohammad_shamim · ‎03-09-2026

Still having doubts in addcustomcertapi and generatecmcaapi can you please help me on this. I have generated csi by using existing private and get the certa signed from client and prepare plan so what I need to us add or generate

ymprakash · ‎03-13-2026

@mohammad_shamim Please use below sample curl command to renew the certs.

curl -i -v -uadmin:admin -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{
"location" : "/opt/cloudera/AutoTLS",
"customCA" : true,
"interpretAsFilenames" : true,
"cmHostCert" : "/tmp/auto-tls/certs/ccycloud-7.vcdp71.root.hwx.site.pem",
"cmHostKey" : "/tmp/auto-tls/keys/ccycloud-7.vcdp71.root.hwx.site-key.pem",
"caCert" : "/tmp/auto-tls/ca-certs/cfssl-chain-truststore.pem",
"keystorePasswd" : "/tmp/auto-tls/keys/key.pwd",
"truststorePasswd" : "/tmp/auto-tls/ca-certs/truststore.pwd",
"trustedCaCerts" : "/tmp/auto-tls/ca-certs.pem", //This is a path to a PEM file on the Cloudera Manager host which contains 
a list of CA certificates that should be imported into the truststores of all hosts. This is an optional field.
"hostCerts" : [ {
"hostname" : "ccycloud-7.vcdp71.root.hwx.site",
"certificate" : "/tmp/auto-tls/certs/ccycloud-7.vcdp71.root.hwx.site.pem",
"key" : "/tmp/auto-tls/keys/ccycloud-7.vcdp71.root.hwx.site-key.pem"
}, {
"hostname" : "ccycloud-3.vcdp71.root.hwx.site",
"certificate" : "/tmp/auto-tls/certs/ccycloud-3.vcdp71.root.hwx.site.pem",
"key" : "/tmp/auto-tls/keys/ccycloud-3.vcdp71.root.hwx.site-key.pem"
}, {
"hostname" : "ccycloud-2.vcdp71.root.hwx.site",
"certificate" : "/tmp/auto-tls/certs/ccycloud-3.vcdp71.root.hwx.site.pem",
"key" : "/tmp/auto-tls/keys/ccycloud-3.vcdp71.root.hwx.site-key.pem"
}, {
"hostname" : "ccycloud-1.vcdp71.root.hwx.site",
"certificate" : "/tmp/auto-tls/certs/ccycloud-1.vcdp71.root.hwx.site.pem",
"key" : "/tmp/auto-tls/keys/ccycloud-1.vcdp71.root.hwx.site-key.pem"
} ],
"configureAllServices" : "true",
"sshPort" : 22,
"userName" : "root",
"password" : "cloudera"
}' 'http://ccycloud-7.vcdp71.root.hwx.site:7180/api/v41/cm/commands/generateCmca' ////This link is valid if you have 
not enabled TLS in the Cloudera Manager UI. If you enable TLS for the same deployment in the Cloudera Manager UI later, 
the port number and the protocol changes for the API calls and for accessing the link from a browser. In such a scenario, 
the correct API call is as follows: https://ccycloud-7.vcdp71.root.hwx.site:7183/api/v41/cm/commands/generateCmca.

Cloudera Community

Support Questions

Auto tls