Renewing PowerVC certificates

Edit online

Existing PowerVC certificates that are nearing expiration can be renewed for three years. The certificate renewal process is applicable only for certificates that are generated during PowerVC installation. You can use the powervc-opsmgr command to renew certificates.

Certificate renewal command

The powervc-opsmgr config certs -c <clustername> --type <cert-type> command allows you to specify the cluster and certificate type to renew. The following certificate types are available:
  • 'powervc': Applicable for the PowerVC certificate.
  • 'rabbit': Applicable for RabbitMQ certificate.
  • 'zookeeper': Applicable for Zookeeper certificate.
  • 'novnc': Applicable for the NoVNC certificate.
  • 'db': Applicable for MariaDB and MongoDB certificates.
  • memcached: Applicable for memcached certificates.
Subcommands
  • -c <clustername>: Specifies the cluster name on which the command must be executed.
  • --ca-cert <CA_CERT>: Specifies the path to the CA certificate.
  • --validate: Validates the CA certificate. Use this option to check certificate integrity.
  • --type {rabbit, zookeeper, powervc, novnc, db, memcached}: Defines the certificate type that you want to renew.
  • --sync [{secondary, nl, cpn, bn}]: Syncs the certificates across nodes in multinode setups. (For example, NovaLink, compute plane node, backup node).
  • --restart [{nl, cpn, bn}]: Restarts PowerVC services after the certificate renewal.
  • --check-expiry [{default, nl, cpn, bn}]: Checks the expiry status of the certificates.

After the certificates are renewed successfully, restart the respective PowerVC services. For more information about restarting the PowerVC services, see the Restarting PowerVC services section.

Verifying the expiry date of certificates

Run the powervc-opsmgr config certs --check-expiry -c <cluster name> command to check the expiry date of the certificates.

Synchronizing certificates for multinodes

For multinode setups, you must synchronize the certificates across all nodes after renewal. Run the powervc-opsmgr config certs -c <clustername> --sync secondary command to sync certificates from the primary node to other nodes.

Restarting PowerVC services

After the certificate is renewed, restart the required services by running any of the powervc-services commands to apply the changes.
  • powervc-services zookeeper restart
  • powervc-services httpd restart
  • powerv-services rabbitmq restart
  • powervc-services nova restart
  • powervc-opsmgr config certs --restart <remote-node> -c <clustername>: For remote nodes such as NovaLink, compute plane node, and backup node.
The database certificates can be renewed by using the following commands:
  • powervc-services db restart
  • powervc-services ui-server restart
  • powervc-services bumblebee restart

Limitations

The following limitations must be considered when renewing certificates:
  • Certificates that are created manually outside of the PowerVC installation must be renewed independently.
  • Make sure that the certificates are updated and synced across all relevant nodes.
  • After renewing or generating new certificates, restart the services on the nodes to apply the changes correctly.