Hi @Ivoz. 1. As mentioned on the doc, cm_cert_chain.pem is a combination of the root CA certificate and the CA certificate that is generated by Cloudera Manager.   2. --trusted-ca-certs option is used to add additional CA's which are used to sign the certificates for services which you will be using with CDP cluster. For Example. LDAPS, so in order to authenticate with LDAPS URL, you need to add the CA used to sign the LDAPS certificate in AutoTLS if that is not the same CA used to sign the Cloudera manager's intermediate CA certificate.   Kindly Note: - In this use case 2, rotation of the Auto-TLS certificate authority is not supported. Cloudera recommends creating an intermediate CA with a long lifetime. The host certificates can be rotated by using the generateHostCerts API. - You can apply Use Case 2 only to new Cloudera Manager installations that have not had hosts added or clusters created. If you already added hosts or created clusters, then you can implement only Use case 1 and Use case 3.   So, I would highly recommend you to use AutoTLS use case 3. More details on AutoTLS Use case 3 on below document: https://community.cloudera.com/t5/Customer/What-are-the-files-to-be-created-and-used-when-enabling/tac-p/369997#M41087 ... View more