Refreshing cert-manager certificates

Your product Certificate manager service automatically refreshes certificates that are going to expire.

Automatically refreshing leaf certificates created from a CA certificate (foundational services version 3.6.4 and later)

Cert-manager may be used to create a CA certificate. The CA certificate may then be used to create a CA Issuer. The CA issuer may then be used to create leaf certificates that are signed with the CA certificate. The cert-manager service will automatically renew certificates it creates and has been extended from the community source project to also support refresh of leaf certificates created from a CA certificate when then that CA certificate is refreshed. This is supported by the ibm-cert-manager-operator. A CA certificate and namespace may be specified and leaf certificates based on the CA certificate will be refreshed.

For more information, see Certificate Management Service settings

Manually refreshing your certificates

Certificates that are generated by your product Certificate manager can be refreshed before your product Certificate manager tries to refresh them by following these steps:

  1. Determine the name of the Secret associated with your certificate. This information can be found by using the kubectl get certificate command and noting the namespace and Secret name next to your certificate.

    kubectl get certificate --all-namespaces
  2. Delete the Secret associated with the certificate you want to refresh.

    kubectl delete secret <secret name> -n <namespace>

    NOTE: Your product Certificate manager re-creates the Secret for that certificate and automatically restarts any Pods associated with any Deployment, StatefulSet, and DaemonSet that uses that certificate.

    NOTE: When you refresh your certificate, you reset the duration and renewBefore values of your new certificate. Unless your new certificate specifies values for the duration and renewBefore parameters, the following defaults are applied:

    • duration value of 90 days
    • renewBefore value of 30 days
  3. Wait for all the services that use that Secret to restart.

Disable restarting your service when a certificate is refreshed

When you refresh a certificate by using your product Certificate manager service, it automatically restarts any Pods associated with any Deployment, StatefulSet, and DaemonSet that uses that Certificate.

You can disable this feature if you do not want your product Certificate manager to restart the Pods associated with your Deployment, StatefulSet, or DaemonSet.

To disable the feature, provide the annotation "true" on your Kubernetes Deployment, StatefulSet, or DaemonSet yaml definition. For example,

apiVersion: apps/v1
kind: Deployment
  name: nginx-deployment
  annotations: "true"

DISCLAIMER: When your product Certificate manager restarts your service, extra ReplicaSets are created. There can be old ReplicaSets that remain. To mitigate the problem of extra unused ReplicaSets, set the spec.revisionHistoryLimit in your Deployment to a reasonable number. If the spec.revisionHistoryLimit is not set, the default value is 10. For more information, see the Kubernetes documentation.