Creating a custom certificate for the console

When you install IBM Cloud Pak for Watson AIOps, self-signed TLS certificates are generated for the IBM Cloud Pak for Watson AIOps UI console route. These default certificates are issued by the IBM® Automation foundation operator. If needed, you can create your own custom TLS certificate to use for the console route, instead of the default self-signed certificate.


To create a custom certificate, you need to create a ext-tls-secret certificate secret with the custom certificate and then configure your custom AutomationUIConfig to reference the secret.

  1. Generate your TLS certificate. When you are generating your TLS certificate, include the following hostnames for identifying the different URLs that are used by the console within the SAN fields.

    If your organization supports the use of a wildcard character, you can include that character to specify the hostnames.

    DNS.1 = api.apps.<FQDN>
    DNS.2 = oauth-openshift.apps.<FQDN>
    DNS.3 = console-openshift-console.apps.<FQDN>
    DNS.4 = cp-console.apps.<FQDN>
    DNS.5 = grafana-openshift-monitoring.apps.<FQDN>
    DNS.6 = alertmanager-main-openshift-monitoring.apps.<FQDN>
    DNS.7 = prometheus-k8s-openshift-monitoring.apps.<FQDN>
    DNS.8 = netcool-evtmanager.apps.<FQDN>
    DNS.9 = was-evtmanager.apps.<FQDN>
    DNS.10 = impact-evtmanager.apps.<FQDN>
    DNS.11 = nci-0-evtmanager.apps.<FQDN>
    DNS.12 = cpd-<NAMESPACE>.apps.<FQDN>


    For example, if your namespace is named aiops, and the fully qualified domain name of your cluster is, your list of hostnames can resemble the following list:

    DNS.1 =
    DNS.2 =
    DNS.3 =
    DNS.4 =
    DNS.5 =
    DNS.6 =
    DNS.7 =
    DNS.8 =
    DNS.9 =
    DNS.10 =
    DNS.11 =
    DNS.12 =
  2. Create an external-tls-secret secret within the IBM Cloud Pak for Watson AIOps installation namespace to provide your certificate, key, and CA certificate to IBM Automation foundation.

    You can use the following command to create the external-tls-secret secret:

    oc -n `<namespace>` create secret generic external-tls-secret --from-file=cert.crt=./cert.crt --from-file=cert.key=./cert.key --from-file=ca.crt=./ca.crt --dry-run -o yaml | oc apply -f -

    Where <namespace> is the namespace that you created for your IBM Cloud Pak for Watson AIOps installation. For more information, see Create a custom namespace. The command returns the following:

    secret/external-tls-secret created
  3. Configure your custom AutomationUIConfig instance to reference the secret.

    The AutomationUIConfig instance determines how the console behaves on the cluster. This instance controls the storage class that is used by the UI and the TLS certificate that the UI presents to external clients. Only one AutomationUIConfig instance can exist. If the AutomationUIConfig instance exists, review the existing configurations to determine whether updates are needed. If the instance does not exist, create your custom AutomationUIConfig instance.

    Include the reference to the secret by including the following configuration in the AutomationUIConfig CR:

        secretName: external-tls-secret
          secretName: external-tls-secret
          key: ca.crt

    For example, the following AutomationUIConfig spec shows the placement of the configuration to reference the secret:

    kind: AutomationUIConfig
      name: iaf-system
        accept: true
      version: v1.0
          secretName: external-tls-secret
          secretName: external-tls-secret
          key: ca.crt

    For more information about configuring the AutomationUIConfig, see Configuring IBM Automation foundation (advanced).

    For more information about configuring the TLS parameters of the AutomationUIConfig, see Custom resources Opens in a new tab.

  4. Optional. Event management uses the Red Hat® OpenShift® Container Platform cluster default ingress certificate. If you want event management to use your custom TLS certificate, you can replace the default ingress certificate on the cluster to use your certificate. For more information, see the Red Hat OpenShift Container Platform documentation Replacing the default ingress certificate Opens in a new tab.

What to do next

Proceed with your IBM Cloud Pak for Watson AIOps installation. When you are creating your IBM Cloud Pak for Watson AIOps Installation custom resource instance, ensure that you reference your AutomationUIConfig instance. For more information, see Installing IBM Cloud Pak for Watson AIOps.