Renew the ingress CA certificate, and all the end-entity certificates that the ingress CA
signs.
About this task
The ingress CA certificate signs all user-facing and inter-subsystem certificates. When you
renew the ingress CA, you must renew all the end-entity certificates that the ingress CA
signs.For more information about API Connect certificates,
see API Connect TLS certificates.
Procedure
- Run the following command to renew the ingress CA
certificate:
kubectl -n <management namespace> get certificate <ingress CA name> -o=jsonpath='{.spec.secretName}' | xargs kubectl -n <management namespace> delete secret
where
<ingress CA name> is the name of the ingress CA certificate. On Kubernetes and
OpenShift individual subsystem installations this name is
ingress-ca
. On
Cloud Pak for Integration and OpenShift top-level CR
installations, this name is
<apic instance
name>-ingress-ca
.
- Run the following command to renew all the end-entity certificates that the ingress CA
signs:
kubectl get secrets -n <management namespace> -o custom-columns='NAME:.metadata.name,ISSUER:.metadata.annotations.cert-manager\.io/issuer-name' --no-headers=true | grep ingress-issuer | awk '{ print $1 }' | xargs kubectl delete secret -n <management namespace>
- If you have other subsystems that are in different namespaces from the management
subsystem, then follow the steps in Copying renewed ingress-ca to subsystems in different namespaces.
- Verify analytics in the developer portal.
Due to a known issue, when the
ingress-ca
is renewed, it is possible that
Analytics in the Developer Portal might stop working. If this happens, complete the
following steps to ensure that certificate changes take effect:
- Log in to the Cloud Manager user interface.
- In the navigation list, click Topology.
- Edit the Analytics service.
- On the Analytics page, edit the Summary field to force a change; for
example, by adding a space to the end of a sentence.
- Click Save.