Updating expired certificates

Based on whether you are using certificates signed by the Public Certificate Authority (CA) or custom CA-signed certificates, choose one of the options to update the expired certificates.

Use the information in this topic to update expired certificates. 

To update public CA-signed certificates

  • If you have attached the certificate on the load balancer, refer to the documentation corresponding to the specific load balancer to update the certificate.
  • If you have attached the certificate on the NGINX Ingress controller, perform the following steps:

    1. Update the certificate by running the following command:

      $ kubectl create secret tls my-tls-secret --cert=/path/to/new-cert.pem --key=/path/to/new-privkey.pem -n ingress-nginx

    2. Restart the Ingress controller daemonset by running the following command:

        $ kubectl -n ingress-nginx rollout restart daemonset ingress-nginx-controller

      A rollout restart is done to make sure that all the pods have the latest certificate.

  • (For BMC Helix Operations Management only) If the root or intermediate certificates have changed, perform the steps to update the PATROL Agents with the new certificates:

    1. Stop the PATROL Agent.
      To stop the PATROL Agent, see Stopping PATROL Agent in the BMC PATROL Agent documentation.

    2. Go to the Patrol3/security/certificates directory.
    3. Update the root certificate in the mca_ca.cer file.

    4. Start the PATROL Agent.
      To start the PATROL Agent, see Starting PATROL Agent in the BMC PATROL  Agent documentation.

  • (For BMC Helix Operations Management only) If the root certificate or intermediate certificate has changed, run the following commands to add the root certificate in the configmap:

    $ kubectl -n ${NAMESPACE} create configmap deployment-repository-service-cm --from-file=mca_ca.cer=${PROJECT_DIR}/commons/certs/custom_cacert.pem --dry-run=client --save-config -o yaml | kubectl -n ${NAMESPACE} apply -f -
    $ kubectl -n ${NAMESPACE} rollout restart deployment deployment-repository-service

    In the command ${NAMESPACE} is the value of NAMESPACE in ${PROJECT_DIR}/configs/infra.config file

To update custom CA-signed certificates

  1. Update the BMC Discovery with the updated certificates. 
    For more information, see Appliance certificates in the BMC Discovery documentation .

  2. If you have attached the certificate on the load balancer, then update it. 
  3. If you have attached the certificate on the ingress controller, perform the following steps:

    1. Update the certificate by running the following command:

      $ kubectl create secret tls my-tls-secret --cert=/path/to/new-cert.pem --key=/path/to/new-privkey.pem -n ingress-nginx

    2. Rollout restart ingress controller daemonset by running the following command:

      $ kubectl -n ingress-nginx rollout restart daemonset ingress-nginx-controller

      A rollout restart is done to make sure that all the pods have the latest certificate.

  4. If your custom CA has changed, run the following commands:

    PROJECT_DIR=
    NAMESPACE=

    cp ${PROJECT_DIR}/commons/certs/java_cacerts ${PROJECT_DIR}/commons/certs/cacerts
    cp ${PROJECT_DIR}/commons/certs/non_java_cacerts.crt ${PROJECT_DIR}/commons/certs/cacerts.pem
    mkdir -p ${PROJECT_DIR}/commons/certs/keystore
    rm -f ${PROJECT_DIR}/commons/certs/keystore/keystore.jks

    # merge logic JAVA certs
      CERTS_COUNT=$(grep 'END CERTIFICATE' ${PROJECT_DIR}/commons/certs/custom_cacert.pem | wc -l)
     for N in $(seq 0 $(($CERTS_COUNT - 1))); do
    ALIAS="$(echo "custom_cacert-$N")"
    cat ${PROJECT_DIR}/commons/certs/custom_cacert.pem |
    awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
    keytool -noprompt -import -trustcacerts \
    -alias $ALIAS -keystore ${PROJECT_DIR}/commons/certs/cacerts -storepass changeit &> /dev/null
    # Create java keystore for ES
    cat ${PROJECT_DIR}/commons/certs/custom_cacert.pem | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" | keytool -import -keystore ${PROJECT_DIR}/commons/certs/keystore/keystore.jks -storepass $ES_JKS_PASSWORD -noprompt -alias $ALIAS
    done
    kubectl -n ${NAMESPACE} create configmap cacertcm --from-file=${PROJECT_DIR}/commons/certs/cacerts  --dry-run=client -o yaml | kubectl  apply -f -
    kubectl -n ${NAMESPACE} create configmap cert-keystore --from-file=${PROJECT_DIR}/commons/certs/keystore --dry-run=client -o yaml | kubectl  apply -f -

      In the command:

    • PROJECT_DIR is the full path of the deployment manager directory.
    • NAMESPACE is the BMC Helix IT Operations Management deployment namespace.
      Find the value of NAMESPACE in ${PROJECT_DIR}/configs/infra.config file.
    • Get the value of $ES_JKS_PASSWORD from the ${PROJECT_DIR}/commons/certs/secrets.txt file.

  5. Restart all the pods by running the following command:

    kubectl get pod -n ${NAMESPACE} | grep -iv "postgres\|redis\|kafka-exporter\|kafka-0\|kafka-1\|kafka-2\|kafka-zookeeper\|victoria" | grep Running | awk '{print $1}' | xargs kubectl delete pod -n ${NAMESPACE}

    In the command ${NAMESPACE} is the value of NAMESPACE in ${PROJECT_DIR}/configs/infra.config file

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*