Bringing your own CA Certificate

Edit online

You can replace the IBM Cloud Pak foundational services self-signed certificate authority (CA) certificate with your own CA certificate.

You can either generate a certificate and create an issuer, or create just the secret.

Note: Anytime you need to bring back your original certificate, see Bringing back your original CA Certificate.

Prerequisites

Edit online

If you already installed the ibm-common-service-operator in your cluster, you must first complete these steps before you bring your own certificate.

  1. Stop the IBM Common Service operator from creating a certificate object. To do so, scale down the deployment replicas to 0. 
    oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=0
  2. Delete the foundational services self-signed CA certificate resource so that the cert-manager service does not re-create the updated secret. 
    oc delete certificate cs-ca-certificate -n <your-foundational-services-namespace>
  3. Delete the foundational services issuer. 
    oc delete issuer cs-ss-issuer -n <your-foundational-services-namespace>
  4. Delete the foundational services self-signed CA certificate secret. 
    oc delete secret cs-ca-certificate-secret -n <your-foundational-services-namespace>

Create your own certificate or secret

Edit online

You can bring your own certificate in two ways:

  • Re-create the cs-ca-certificate-secret by using your CA certificate.
  • Create an issuer and issue your CA certificate.

Re-create the cs-ca-certificate-secret by using your CA certificate

Edit online

If you already have your own CA certificate, you can re-create the secret.

During the foundational services installation, the foundational services operator detects the presence of the cs-ca-certificate-secret secret. The operator then does not generate the cs-ss-issuer self-signed issuer and the cs-ca-certificate CA certificate.

  1. Re-create the cs-ca-certificate-secret by using your CA certificate (ca.crt), TLS certificate (tls.crt), and private key (tls.key). 
     oc -n <your-foundational-services-namespace> create secret generic cs-ca-certificate-secret --from-file=ca.crt=<your-path>/ca.crt  --from-file=tls.crt=<your-path>/tls.crt --from-file=tls.key=<your-path>/tls.key
  2. Add a leaf-certificate refresh label to the secret. 
    oc label secret cs-ca-certificate-secret -n <your-foundational-services-namespace> ibm-cert-manager-operator/refresh-ca-chain=true
  3. Scale up the ibm-common-service-operator deployment replicas to 1. 
    oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=1

Create an issuer and CA certificate

Edit online

Create an issuer and generate a CA certificate. You can use the default names of cs-ss-issuer and cs-ca-certificate, or use custom names for the issuer and certificate. However, the generated secret name must be cs-ca-certificate-secret.

During installation, the IBM Certificate Manager service generates the cs-ca-ceritificates-secret secret.

  1. Create an Issuer. Use the following .yaml file to define an Issuer. 
    apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ss-issuer
  namespace: <your-foundational-services-namespace>
spec:
  selfSigned: {}
  2. After you create the Issuer, create a CA certificate that references the issuer and specifies the isCA field. 
    apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  labels:
    ibm-cert-manager-operator/refresh-ca-chain: 'true' 
  name: cs-ca-certificate
  namespace: <your-foundational-services-namespace>
spec:
  secretName: cs-ca-certificate-secret
  secretTemplate:
    labels:
      ibm-cert-manager-operator/refresh-ca-chain: 'true'
  issuerRef:
    name: ss-issuer
    kind: Issuer
  commonName: cs-ca-certificate
  isCA: true      
  duration: 17520h0m0s
  renewBefore: 5840h0m0s
  3. Scale up the ibm-common-service-operator deployment replicas to 1. 
    oc scale deployment -n <your-foundational-services-namespace> ibm-common-service-operator --replicas=1