If you are replacing your ingress certificate and do not want to use a self-signed
certificate, create a certificate that is signed by a certificate authority (CA).
About this task
When you use a CA for signing, the certificate is returned in a common file format such as
DER
, CRT
, or PKCS7B
. You need to convert the
certificate to PEM
format.
In addition, if your certificate signing request (CSR) uses an intermediate certificate, you need
to obtain the root CA certificate. If your certificate is not signed by an intermediate certificate,
you need to obtain the intermediate certificate. The root CA certificate does not work if the
certificate is not signed by an intermediate certificate because OpenShift® does not have the automatic identification of
trust chains CA.
Procedure
- Obtain the signed certificate from your certificate authority according to their
instructions.
- Convert the certificate to
PEM
format (see https://knowledge.digicert.com/solution/SO26449.html for
more information).
For example, to convert from DER
to PEM
, run commands that are
similar to the following example:
cd working-dir/cert-received
Example DER to PEM
openssl x509 -inform der -in certificatename.der -out tls.crt
openssl x509 -inform der -in certificateca.der -out ca.crt
And, for example, to convert CRT
to PEM
, run commands that are
similar to the following example:
cd working-dir/cert-received
openssl x509 -in cert.crt -outform PEM -out tls.crt
openssl x509 -inform der -in caintermediatecert.der -out ca.crt
Tip: If you have a few certificates that are part of a full certificate chain (for
example an intermediate certificate), concatenate all the certs into the ca.crt
file.
- Replace the certificates in the
insights-ingressca
secret by issuing
these commands:
cd working-dir/cert-received
cp ../working-dir/cert-request/tls.key .
export KEY_FILE="tls.key"
export CA_FILE="ca.crt"
export CERT_FILE="tls.crt"
oc get secret insights-ingressca -o yaml > insights-ingressca_backup.yaml (Backup existing ingress-ca secret)
oc delete secret insights-ingressca -n $NAMESPACE
oc create secret generic insights-ingressca --type=kubernetes.io/tls -n ${NAMESPACE} --from-file=ca.crt=${CA_FILE} --from-file=tls.crt=${CERT_FILE} --from-file=tls.key=${KEY_FILE}
After the secret is replaced, the ibm-guardium-insights
operator updates the
route with new certificates in net reconciliation.
Tip: Check new certificate status by patching the
NAMESPACE-apigateway-api
route to make sure that the new certificate didn't
adversely impact the route. If the route was broken, you can roll back to the backup secret
(insights-ingressca_backup.yaml).
What to do next
After you create the certificate, replace the certificate in IBM® Common
Services (follow the instructions in this
step).