Replacing passwords, keys, and certificates

Each subsystem uses one or more passwords, database keys, and registration secrets. In some cases, an update takes effect immediately or on the next log-in, but some components require a restart to apply the update. Follow the procedure for updating each subsystem to ensure that you complete all required steps.

All subsystems use TLS certificates to encrypt communications both within each subsystem, between subsystems, and with clients. The procedure for renewing a certificate depends on whether you use cert-manager. After you replace a certificate in a subsystem, you must restart all pods that are affected by the certificate, so there will be a service interruption.

The instructions in this section are written for deployments on Kubernetes and details for other platforms appear at the end of the section. Before you begin updating passwords, keys, and certificates, review the entire section to ensure you understand the procedures and are aware of any platform-specific differences that affect your deployment.