Creating a CA-signed certificate

If you are replacing your ingress certificate and do not want to use a self-signed certificate, create a certificate that is signed by a certificate authority (CA).

Before you begin

Prerequisites for this task are described in Replacing the ingress certificate.

About this task

When you use a CA for signing, the certificate is returned in a common file format such as DER, CRT, or PKCS7B. You need to convert the certificate to PEM format.

In addition, if your certificate signing request (CSR) uses an intermediate certificate, you need to obtain the root CA certificate. If your certificate is not signed by an intermediate certificate, you need to obtain the intermediate certificate. The root CA certificate does not work if the certificate is not signed by an intermediate certificate because OpenShift® does not have the automatic identification of trust chains CA.

Procedure

  1. Obtain the signed certificate from your certificate authority according to their instructions.
  2. Convert the certificate to PEM format (see https://knowledge.digicert.com/solution/SO26449.html for more information).

    For example, to convert from DER to PEM, run commands that are similar to the following example:

    cd working-dir/cert-received
    Example DER to PEM
    openssl x509 -inform der -in certificatename.der -out tls.crt
    openssl x509 -inform der -in certificateca.der -out  ca.crt

    And, for example, to convert CRT to PEM, run commands that are similar to the following example:

    cd working-dir/cert-received
    openssl x509 -in cert.crt -outform PEM -out tls.crt
    openssl x509 -inform der -in caintermediatecert.der -out ca.crt
    Tip: If you have a few certificates that are part of a full certificate chain (for example an intermediate certificate), concatenate all the certs into the ca.crt file.
  3. Replace the certificates in the insights-ingressca secret by issuing these commands:
    cd working-dir/cert-received
    cp ../working-dir/cert-request/tls.key .
    
    export KEY_FILE="tls.key"
    export CA_FILE="ca.crt"
    export CERT_FILE="tls.crt"
    
    oc get secret insights-ingressca -o yaml > insights-ingressca_backup.yaml (Backup existing ingress-ca secret)
    
    oc delete secret insights-ingressca -n $NAMESPACE
    oc create secret generic insights-ingressca --type=kubernetes.io/tls -n ${NAMESPACE} --from-file=ca.crt=${CA_FILE} --from-file=tls.crt=${CERT_FILE} --from-file=tls.key=${KEY_FILE}

    After the secret is replaced, the ibm-guardium-insights operator updates the route with new certificates in net reconciliation.

    Tip: Check new certificate status by patching the NAMESPACE-apigateway-api route to make sure that the new certificate didn't adversely impact the route. If the route was broken, you can roll back to the backup secret (insights-ingressca_backup.yaml).

What to do next

After you create the certificate, replace the certificate in IBM® Common Services (follow the instructions in this step).