Using SSL Certificates

Edit online

Detailed information about how to add, configure, and update SSL certificates in IBM Verify Identity Governance - Container.

Overview

SSL certificates are similar to the CA certificates, and they should either exist as a file in config/certs directory, or as a Base64-encoded string. In either case, these certificates must be referenced in config.yaml file.

Adding a SSL certificate

In the config.yaml file, add a reference to the SSL certificates by either using @filename or B64:<the_base64_string>.

If the IBM Verify Identity Governance - Container was installed using the auto-generated SSL certificate, then the config.yaml has an entry as follows: 
keystore: null
To add a new SSL certificate, update this entry as shown here: 

keystore:
  - cert: '@sslcert.crt'
    key: '@sslcert.key'
    cacert: '@cacert.crt'
Ensure that:
  • The SSL certificate files are in the ASCII (PEM) format.
  • The certificate and key are separate files.
  • The CA certificate includes the full signing chain.
Note that if an intermediate CA (such as a commercial CA service) is used, then file must include the top level and any lower CA certificates all the way to the one that actually signed it.

Updating the truststore

You can also add the SSL certificates to truststore on an already existing IBM Verify Identity Governance - Container installation. Perform the following steps.
  1. Place the new CA certificates in the /config/certs directory.
  2. Open the/config/config.yaml file. Go to truststore section: 
    
 truststore:
  - '@isvgimRootCA.crt'
  3. Add a new line for the newly added certificates. 
    
 truststore:
  - '@isvgimRootCA.crt'
  - '@myNewCA.crt'
    Important: When editing the config.yaml file, ensure that the leading spaces are correct. Yaml files are based on specific indentation. All of these entries are under the top level server: section, and they're indented 2 spaces. The extra elements under keystore are indented 4 spaces.
  4. After adding the certificate files to the directory and updating the config.yaml file, run this command: bin/createConfigs.sh setup.
  5. The changes will take effect the next time the IBM Verify Identity Governance - Container pods are restarted. If you want to restart the pods immediately, run this command: kubectl -n namespace rollout restart sts <PodName>