Updating expired or changed CA-signed certificates

If your CA-signed certificate has expired or your certification authority has changed, you must update the CA-signed certificate. Make sure that you update the certificate on the load balancer or the ingress controller.

  1. Update the BMC Discovery appliances with the updated certificates.
  2. Import the updated certificate into the CA certificate bundle of Java (Java keystore) and the non-Java CA certificate bundle.

    • For Java pods, use the following command:

      keytool -import -trustcacerts -file ${INSTALLER_DIR}/commons/certs/custom_cacert.pem -alias CA_ALIAS -keystore ${INSTALLER_DIR}/commons/certs/cacerts -storepass changeit -noprompt

      INSTALLER_DIR is the path where you have unzipped the installer.

    • For non-JAVA pods use the following command:

      cat ${INSTALLER_DIR}/commons/certs/non_java_cacerts.crt  ${INSTALLER_DIR}/commons/certs/custom_cacert.pem  >  ${INSTALLER_DIR}/commons/certs/cacerts.pem

      INSTALLER_DIR is the path where you have unzipped the installer.
      For information about downloading the installer, see Downloading-the-deployment-manager.

  3. Run the following commands in the following order to update the configmaps to reflect the updated certificate:

    kubectl create configmap cacertcm --from-file=${INSTALLER_DIR}/commons/certs/cacerts -n <NAMESPACE>   --dry-run -o yaml | kubectl apply -f -

    kubectl create configmap pemcm --from-file=${INSTALLER_DIR}/commons/certs/cacerts.pem -n <NAMESPACE>  --dry-run -o yaml | kubectl apply -f -

  4. Rename the new certificate file to cacerts.pem by using the following command:

     cp ${INSTALLER_DIR}/commons/certs/<NEWCERTPEMFILE> ${INSTALLER_DIR}/commons/certs/cacerts.pem

    where NEWCERTPEMFILE is the name of the new certificate to be imported.

  5. Create configmaps for Java and non-Java certificates by using the following commands:
    • kubectl create configmap cacertcm --from-file=${ INSTALLER_DIR }/commons/certs/cacerts -n <NAMESPACE>
    • kubectl create configmap pemcm --from-file=${ INSTALLER_DIR }/commons/certs/cacerts.pem -n <NAMESPACE>

  6. (Optional) If the root certificate or intermediate certificate has changed, run the following command to add the root certificate in the configmap:

    kubectl edit cm deployment-repository-service-cm -n <NAMESPACE>

  7. Restart all pods by running the following command:

    kubectl get pod -n <namespace> | grep Running | awk '{print $1}' | xargs kubectl delete pod -n <NAMESPACE>

  8. (For 

    BMC Helix Operations Management

    ) If the root certificate or intermediate certificate has changed, update the PATROL Agents with the new certificate.

    1. Stop the PATROL Agent.
      To stop the PATROL Agent, see Stopping the PATROL Agentin the BMC PATROL Agent documentation.

    2. Go to the Patrol3/security/certificates directory.
    3. In the mca_ca.cer file, update the root certificate details.

    4. Start the PATROL Agent.
      To start the PATROL Agent, see Starting the PATROL Agentin the BMC PATROL Agent documentation.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*