Specifying your own certificate authority for IBM Cloud Private services

All certificates required by services that run on IBM Cloud Private are created during the installation of IBM Cloud Private. Certificates are either created and managed by the IBM Cloud Private installer or by the IBM Cloud Private Certificate manager (cert-manager). These certificates are signed by a certificate authority (CA) also created during installation.

Prerequisite: If you updated your macOS system to the latest version (Catalina) or greater, you must complete the following steps to access permission for your certificate:

1. Extract the IBM Cloud Private Root CA Certificate from the cluster-ca-cert.pem file by running the following command:

   • For macOS, run the following command:

     kubectl get secret cluster-ca-cert -n kube-system -o jsonpath="{.data['tls\.crt']}" | base64 -D > cluster-ca-cert.pem
     

   • For Linux, run the following command:

     kubectl get secret cluster-ca-cert -n kube-system -o jsonpath="{.data['tls\.crt']}" | base64 --decode > cluster-ca-cert.pem
     

   • When you set the NavTLSGEnerate parameter to True, in the namespace where IBM Cloud Pak for Multicloud Management is installed, run the following command to extract the Root CA Certificate:

      kubectl get secret icip-navigator-tls-secret -n cp4int -o jsonpath="{.data['tls.crt']}" | base64 -D > cluster-ca-cert.pem
     

2. Add the certificate file to your local file system.

3. Update the trust store for your macOS. Select the Launch Pad application.

4. Locate and select the Keychain Access application.

5. Move your cluster-ca-cert.pem certificate file into the Keychain Access application.

6. From the Certificates section, verify that the certificate is added.

7. Update the access permissions by double-clicking the certificate that you added. Update the When using this certificate parameter to Always Trust.

8. Return to your Chrome browser and refresh the management console.

   You can log in to your management console with access to the product. For more information, see Requirements for trusted certificates in iOS 13 and macOS 10.15 .

Before you install IBM Cloud Private, you can provide your own certificate authority (CA) to sign certificates used by IBM Cloud Private services.

• Use your own certificate authority (CA)
• Upgrade from IBM Cloud Private 3.1.2 and earlier

After you install IBM Cloud Private, you can provide your own certificates for management ingress and for image manager.

• Replacing management ingress certificates
  
• Replacing image manager certificates
  

You can BYOK (Bring Your Own Key) to use inside your IBM Cloud Private cluster.

1. Create the cfc-certs/root-ca directory inside your cluster directory.

   mkdir -p <installation_dir>/cluster/cfc-certs/root-ca
   

2. Rename your existing CA key to ca.key and copy it to the installation directory.

   cp <BYOK> <installation_dir>/cluster/cfc-certs/root-ca/ca.key
   

3. Rename your existing CA certificate to ca.crt, and copy it to the installation directory.

   cp <BYOK_cert> <installation_dir>/cluster/cfc-certs/root-ca/ca.crt
   

4. If you have a certificate chain, then place the chain within the file ca-chain.crt in the directory <installation_dir>/cfc-certs/root-ca/. For example:

    cp <BYOK_cert_chain> <installation_dir>/cluster/cfc-certs/root-ca/ca-chain.crt
   

   NOTE: The certificate chain must contain only the signers of the BYO CA certificate, but must not contain the BYO CA certificate itself. The order of the chain must be the immediate signer of your BYO CA, followed by the signer of that CA, etc.

5. Install your cluster.

Accessing the IBM Cloud Private Root CA

After you bring your own IBM Cloud Private Root CA, the IBM Cloud Private Root CA Certificate is accessible by way of the Kubernetes Secret ibmcloud-cluster-ca-cert in the kube-public namespace.

To retrieve and decode the certificate, run the following command:

kubectl get secret -n kube-public ibmcloud-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 --decode

Upgrade from IBM Cloud Private 3.1.2 and earlier

In IBM Cloud Private version 3.1.2 and earlier, the certificate that is used by the management ingress and image manager was not managed by the IBM Cloud Private Certificate Manager service. The certificate was initially created by the installer. The way to bring your own certificate for the management ingress and image manager services was to place your own certificate into the correct directory.

For IBM Cloud Private version 3.2.0 and greater, bring your own Certificate Authority or replace the management ingress or image manager certificates.

If you bring your own Certificate Authority (your own root CA), it signs the certificate that is used by the management ingress and image manager.

The following scenarios can exist during upgrade:

1. You did not bring your own certificate for the management ingress and image manager. In this scenario, the management ingress and image manager pick up the new certificate that is generated by cert-manager during an upgrade. If you would like to bring your own, refer to the steps in Replacing Certificates after you upgrade IBM Cloud Private.

2. When you bring your own certificate for management ingress and image manager. In this scenario, the management ingress and image manager no longer use your certificate after upgrade. You must follow the steps in Replacing Certificates after you upgrade IBM Cloud Private.

NOTE: If you replace your root CA, after you upgrade, you must accept and trust the new certificate in your browser when you navigate to the IBM Cloud Private management console.