Renewing cert-manager controlled certificates
Use cert-manager to renew the issuers, CA certificates, and derived certificates that it manages for your API Connect deployment.
Cert-manager monitors and automatically renews all API Connect certificates before they expire. However, some API Connect maintenance operations require the manual renewal of certificates. The topics in this section describe how to manually trigger cert-manager to renew the certificates that it manages.
Key points to understand:
- If you replaced any cert-manager certificates with custom certificates, you must update these certificates manually before they expire. Cert-manager does not monitor custom certificates.
- Some API Connect pods must be restarted when certain API Connect certificates are renewed. See Pods that require restart after certificate renewal.
- When you renew a CA certificate, you must renew all the end-entity certificates that the CA signs. See API Connect TLS certificates reference.
Note: If your API Connect deployment was
originally installed at v10.0.1.2 or earlier, then the certificate might be missing the
duration
and renewBefore
properties. Before you renew any API Connect connect
certificates, verify that your certificates have these properties, and if not then add them: - Run the following command to list of all the certificate names, with their
duration
andrenewBefore
properties:
Example output wherekubectl -n <namespace> get certificate -o custom-columns=NAME:metadata.name,DURATION:spec.duration,RENEWBEFORE:spec.renewBefore
management-ca
is missing theduration
andrenewBefore
properties:NAME DURATION RENEWBEFORE analytics-ai-endpoint 17520h0m0s 720h0m0s ... management-ca <none> <none>
- For each certificate output from step 1 that
shows
<none>
forduration
andrenewBefore
, edit the certificate and add these properties:
Add thekubectl -n <namespace> edit certificate <certificate name>
duration
andrenewBefore
properties under thespec
property as shown in the following example:
where <duration> is:... spec: ... duration: <duration> renewBefore: 720h # 30 days ...
87600h
for CA certificates.17520h
for all other certificates.