Refreshing authentication certificates

You can refresh authentication certificates in your IBM Cloud Private environment.

You can refresh the following certificates:

• etcd
• Kubernetes front proxy
• Helm tiller
• IPsec
• Router

Before you begin:

• Ensure that your IBM Cloud Private cluster is running.
• When you create a new secret, do not change the cluster_CA_domain parameter for your cluster.

Note: When you run the command to replace a certificate, the related management services might be unavailable for a short duration of time. The command has no impact on the applications in your cluster.

Refresh certificates

1. Log in to the boot node as a cluster admin.

2. Change the location to the cluster/cfc-certs directory.

   cd <installation_directory>/cluster/cfc-certs
   

3. Back up the certificate that you want to replace and move it to another location. See the following example:

   mv etcd etcd.bak
   

4. Change to the cluster directory.

   cd ..
   

5. Run the following command to replace the certificate:

   docker run -t --net=host -v $(pwd):/installer/cluster -e LICENSE=accept ibmcom/icp-inception-$(uname -m | sed 's/x86_64/amd64/g'):3.1.1-ee replace-certificates -v
   

Replace the existing certificate with your own certificate

1. Generate a new router certificate key pair.
   Note: You must replace mycluster.icp with your own cluster_CA_domain that you configured in the <installation_directory>/cluster/config.yaml file.

   openssl req -newkey rsa:4096 -sha256 -nodes -keyout icp-router.key -x509 -days 36500 -out icp-router.crt -subj "/C=US/ST=California/L=Los Angeles/O=Your Domain Inc/CN=mycluster.icp"
   

2. Log in to the boot node as a cluster admin.

3. Change the location to the cluster/cfc-certs directory.

   cd <installation_directory>/cluster/cfc-certs
   

4. Back up the router certificate.

   cp -r router router.bak
   

5. Replace router/icp-router.key and router/icp-router.crt with your own key pair and certificate that you generated in step 1.

6. Change to the cluster directory.

   cd ..
   

7. Run the following command to replace the certificate:

   docker run -t --net=host -v $(pwd):/installer/cluster -e LICENSE=accept ibmcom/icp-inception-$(uname -m | sed 's/x86_64/amd64/g'):3.1.1-ee replace-certificates -v
   

Restore old certificate

1. Log in to the boot node as a cluster admin.

2. Change the location to the cluster/cfc-certs directory.

   cd <installation_directory>/cluster/cfc-certs
   

3. Remove the existing certificate. See the following example:

   rm router
   

4. Rename the backup file to the original name.

   cp -r router.bak router
   

   1. Run the following command to replace the certificate:

      docker run -t --net=host -v $(pwd):/installer/cluster -e LICENSE=accept ibmcom/icp-inception-$(uname -m | sed 's/x86_64/amd64/g'):3.1.1-ee replace-certificates -v
      

Create a new certificate authority (CA)

1. Create the certificate. The certificate key is exported in PEM(OpenSSL) format. For example, to create a self-signed certificate with the domain name mycluster.icp, run the following command:

   openssl genrsa -out icp-router.key 4096
   openssl req -new -key icp-router.key -out icp-router.csr -subj "/CN=mycluster.icp"      
   openssl x509 -req -CA /etc/cfc/conf/ca.crt -CAkey /etc/cfc/conf/ca.key -CAcreateserial -in icp-router.csr -out icp-router.crt
   

   This command creates two certificates in your current working directory: icp-router.key and icp-router.crt.

Update secret router-certs

1. Delete old secret router-certs.

   kubectl delete secret router-certs -n kube-system
   

   The output resembles the following code:

   secret "router-certs" deleted
   

2. Create new secret router-certs.

   kubectl create secret tls router-certs --cert=icp-router.crt --key=icp-router.key -n kube-system
   

   The output resembles the following code:

   secret "router-certs" created
   

Replace the authentication certificate for the IBM Cloud Private management console

1. Restart the management-ingress pod.

   kubectl get pods -n kube-system | grep icp-management-ingress
   

   The output resembles the following code:

   icp-management-ingress-8zfps                                   1/1       Running     0          30m
   

   Delete the image-manager pod.

   kubectl delete pods -n kube-system icp-management-ingress-8zfps
   

   The output resembles the following code:

   pod "icp-management-ingress-8zfps" deleted
   

2. When the icp-management-ingress pod is back in a running state, log in to the IBM Cloud Private management console.

Replacing the authentication certificate for the image manager

1. Update the image registry cacert file. On all master nodes, copy the icp-router.crt as ca.crt to the directory that stores the image registry certificates. In this example, the directory that stores the image registry certificates is /etc/docker/certs.d/mycluster.icp:8500.

   cp icp-router.crt /etc/docker/certs.d/mycluster.icp\:8500/ca.crt
   

2. Restart the image-manager pod.

   kubectl get pods -n kube-system | grep image-manager
   

   The output resembles the following code:

   image-manager-0                                           2/2       Running   0          11h
   

   Delete image-manager pod.

   kubectl delete pods -n kube-system image-manager-0
   

   The output resembles the following code:

   pod "image-manager-0" deleted
   

3. When the image-manager pod is back in a running state, login to the image registry.

   docker login mycluster.icp:8500
   

   The output resembles the following code:

   Username (admin): admin
   Password:
   Login Succeeded