Renewing the ingress-ca

Renew the ingress CA certificate, and all the end-entity certificates that the ingress CA signs.

About this task

The ingress CA certificate signs all user-facing and inter-subsystem certificates. When you renew the ingress CA, you must renew all the end-entity certificates that the ingress CA signs.

For more information about API Connect certificates, see API Connect TLS certificates.

Procedure

  1. Run the following command to renew the ingress CA certificate:
    kubectl -n <management namespace> get certificate <ingress CA name> -o=jsonpath='{.spec.secretName}' | xargs kubectl -n <management namespace> delete secret
    where <ingress CA name> is the name of the ingress CA certificate. On Kubernetes and OpenShift individual subsystem installations this name is ingress-ca. On Cloud Pak for Integration and OpenShift top-level CR installations, this name is <apic instance name>-ingress-ca.
  2. Run the following command to renew all the end-entity certificates that the ingress CA signs:
    kubectl get secrets -n <management namespace> -o custom-columns='NAME:.metadata.name,ISSUER:.metadata.annotations.cert-manager\.io/issuer-name' --no-headers=true | grep ingress-issuer | awk '{ print $1 }' | xargs kubectl delete secret -n <management namespace>
  3. If you have other subsystems that are in different namespaces from the management subsystem, then follow the steps in Copying renewed ingress-ca to subsystems in different namespaces.
  4. Verify analytics in the developer portal.
    Due to a known issue, when the ingress-ca is renewed, it is possible that Analytics in the Developer Portal might stop working. If this happens, complete the following steps to ensure that certificate changes take effect:
    1. Log in to the Cloud Manager user interface.
    2. In the navigation list, click Topology Topology.
    3. Edit the Analytics service.
    4. On the Analytics page, edit the Summary field to force a change; for example, by adding a space to the end of a sentence.
    5. Click Save.