Bringing your own CA Certificate
You can replace the IBM Cloud Pak foundational services self-signed certificate authority (CA) certificate with your own CA certificate.
You can either generate a certificate and create an issuer, or create just the secret.
Note: Anytime you need to bring back your original certificate, see Bringing back your original CA Certificate.
Prerequisites
If you already installed the ibm-common-service-operator
in your cluster, you must first complete these steps before you bring your own certificate.
-
Stop the IBM Common Service operator from creating a certificate object. To do so, scale down the deployment replicas to 0.
oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=0
-
Delete the foundational services self-signed CA certificate resource so that the
cert-manager
service does not re-create the updated secret.oc delete certificate cs-ca-certificate -n <your-foundational-services-namespace>
-
Delete the foundational services issuer.
oc delete issuer cs-ss-issuer -n <your-foundational-services-namespace>
-
Delete the foundational services self-signed CA certificate secret.
oc delete secret cs-ca-certificate-secret -n <your-foundational-services-namespace>
Create your own certificate or secret
You can bring your own certificate in two ways:
- Re-create the
cs-ca-certificate-secret
by using your CA certificate. - Create a self-signed issuer and generate your CA certificate.
Re-create the cs-ca-certificate-secret by using your CA certificate
If you already have your own CA certificate, you can re-create the secret.
During the foundational services installation, the foundational services operator detects the presence of the cs-ca-certificate-secret
secret. The operator then does not generate the cs-ss-issuer
self-signed issuer and
the cs-ca-certificate
CA certificate.
-
Re-create the
cs-ca-certificate-secret
by using your CA certificate (ca.crt
), TLS certificate (tls.crt
), and private key (tls.key
).oc -n <your-foundational-services-namespace> create secret generic cs-ca-certificate-secret --from-file=ca.crt=<your path>/ca.crt --from-file=tls.crt=<your path>/tls.crt --from-file=tls.key=<your path>/tls.key
-
Add a leaf-certificate refresh label to the secret.
oc label secret cs-ca-certificate-secret -n <your-foundational-services-namespace> ibm-cert-manager-operator/refresh-ca-chain=true
-
Scale up the
ibm-common-service-operator
deployment replicas to 1.oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=1
Create a self-signed issuer and CA certificate
Create an issuer and generate a CA certificate. You can use the default names of cs-ss-issuer
and cs-ca-certificate
, or use custom names for the issuer and certificate. However, the generated secret name must be cs-ca-certificate-secret
.
During installation, the IBM Certificate Manager service generates the cs-ca-ceritificates-secret
secret.
-
Create a self-signed Issuer. Use the following
.yaml
file to define a self-signed Issuer.apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ss-issuer namespace: <your-foundational-services-namespace> spec: selfSigned: {}
-
After you create the self-signed Issuer, create a CA certificate that references the self-signed issuer and specifies the
isCA
field.apiVersion: cert-manager.io/v1 kind: Certificate metadata: labels: ibm-cert-manager-operator/refresh-ca-chain: 'true' name: cs-ca-certificate namespace: <your-foundational-services-namespace> spec: secretName: cs-ca-certificate-secret secretTemplate: labels: ibm-cert-manager-operator/refresh-ca-chain: 'true' issuerRef: name: ss-issuer kind: Issuer commonName: cs-ca-certificate isCA: true duration: 17520h0m0s renewBefore: 5840h0m0s
-
Scale up the
ibm-common-service-operator
deployment replicas to 1.oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=1