Renewing certificates with cert-manager

Use cert-manager to renew the issuers, CA certificates, and derived certificates that it manages for your API Connect deployment.

Cert-manager monitors and automatically renews all API Connect certificates before they expire. However, some API Connect maintenance operations require the manual renewal of certificates. The topics in this section describe how to manually trigger cert-manager to renew the certificates that it manages.

Key points to understand:
  • If you replaced any cert-manager certificates with custom certificates, you must update these certificates manually before they expire. Cert-manager does not monitor custom certificates.
  • Some API Connect pods must be restarted when certain API Connect certificates are renewed. See Pods that require restart after certificate renewal.
  • When you renew a CA certificate, you must renew all the end-entity certificates that the CA signs. See API Connect TLS certificates reference.
Note: If your API Connect deployment was originally installed at v10.0.1.2 or earlier, then the certificate might be missing the duration and renewBefore properties. Before you renew any API Connect connect certificates, verify that your certificates have these properties, and if not then add them:
  1. Run the following command to list of all the certificate names, with their duration and renewBefore properties:
    kubectl -n <namespace> get certificate -o,DURATION:spec.duration,RENEWBEFORE:spec.renewBefore
    Example output where management-ca is missing the duration and renewBefore properties:
    NAME                                     DURATION     RENEWBEFORE
    analytics-ai-endpoint                    17520h0m0s   720h0m0s
    management-ca                            <none>       <none>
  2. For each certificate output from step 1 that shows <none> for duration and renewBefore, edit the certificate and add these properties:
    kubectl -n <namespace> edit certificate <certificate name>
    Add the duration and renewBefore properties under the spec property as shown in the following example:
      duration: <duration>
      renewBefore: 720h # 30 days	
    where <duration> is:
    • 87600h for CA certificates.
    • 17520h for all other certificates.