Bringing your own CA Certificate

You can replace the IBM Cloud Pak foundational services self-signed certificate authority (CA) certificate with your own CA certificate.

You can either generate a certificate and create an issuer, or create just the secret.

Note: Anytime you need to bring back your original certificate, see Bringing back your original CA Certificate.

Prerequisites

If you already installed the ibm-common-service-operator in your cluster, you must first complete these steps before you bring your own certificate.

  1. Stop the IBM Common Service operator from creating a certificate object. To do so, scale down the deployment replicas to 0.

     oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=0
    
  2. Delete the foundational services self-signed CA certificate resource so that the cert-manager service does not re-create the updated secret.

     oc delete certificate cs-ca-certificate -n <your-foundational-services-namespace>
    
  3. Delete the foundational services issuer.

     oc delete issuer cs-ss-issuer -n <your-foundational-services-namespace>
    
  4. Delete the foundational services self-signed CA certificate secret.

     oc delete secret cs-ca-certificate-secret -n <your-foundational-services-namespace>
    

Create your own certificate or secret

You can bring your own certificate in two ways:

Re-create the cs-ca-certificate-secret by using your CA certificate

If you already have your own CA certificate, you can re-create the secret.

During the foundational services installation, the foundational services operator detects the presence of the cs-ca-certificate-secret secret. The operator then does not generate the cs-ss-issuer self-signed issuer and the cs-ca-certificate CA certificate.

  1. Re-create the cs-ca-certificate-secret by using your CA certificate (ca.crt), TLS certificate (tls.crt), and private key (tls.key).

      oc -n <your-foundational-services-namespace> create secret generic cs-ca-certificate-secret --from-file=ca.crt=<your path>/ca.crt  --from-file=tls.crt=<your path>/tls.crt --from-file=tls.key=<your path>/tls.key
    
  2. Add a leaf-certificate refresh label to the secret.

     oc label secret cs-ca-certificate-secret -n <your-foundational-services-namespace> ibm-cert-manager-operator/refresh-ca-chain=true
    
  3. Scale up the ibm-common-service-operator deployment replicas to 1.

     oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=1
    

Create a self-signed issuer and CA certificate

Create an issuer and generate a CA certificate. You can use the default names of cs-ss-issuer and cs-ca-certificate, or use custom names for the issuer and certificate. However, the generated secret name must be cs-ca-certificate-secret.

During installation, the IBM Certificate Manager service generates the cs-ca-ceritificates-secret secret.

  1. Create a self-signed Issuer. Use the following .yaml file to define a self-signed Issuer.

     apiVersion: cert-manager.io/v1
     kind: Issuer
     metadata:
       name: ss-issuer
       namespace: <your-foundational-services-namespace>
     spec:
       selfSigned: {}
    
  2. After you create the self-signed Issuer, create a CA certificate that references the self-signed issuer and specifies the isCA field.

     apiVersion: cert-manager.io/v1
     kind: Certificate
     metadata:
       labels:
         ibm-cert-manager-operator/refresh-ca-chain: 'true' 
       name: cs-ca-certificate
       namespace: <your-foundational-services-namespace>
     spec:
       secretName: cs-ca-certificate-secret
       secretTemplate:
         labels:
           ibm-cert-manager-operator/refresh-ca-chain: 'true'
       issuerRef:
         name: ss-issuer
         kind: Issuer
       commonName: cs-ca-certificate
       isCA: true      
       duration: 17520h0m0s
       renewBefore: 5840h0m0s
    
  3. Scale up the ibm-common-service-operator deployment replicas to 1.

     oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=1