Skip to main content
Skip table of contents

K8s/Openshift - Certificate Management Guide

Checking Certificate Validity

In order to check the validity and expiration date of certificates, execute the following script inside the vid-maintenance pod:

CODE 
python3 /scripts/check_certificates.py

Renewing Interservice Certificates (websec - adservice, websec - OPA)

To renew interservice certificates, open a terminal in the vid-maintenance pod and run:

CODE 
bash /scripts/renew-interservice-certificates.sh

# Verify the new expiration date:
# Run the following script and check the output for 'tomcat-keystore'
python3 /scripts/check_certificates.py

Certificate validity is defined in config.json (.clientCert.validityDays.default)
The affected pods will be restarted automatically.

Renewing Cassandra Internode and Client Certificates

To renew Cassandra internode and client certificates, follow these steps:

  1. Inside the vid-maintenance Pod:

    CODE 
    bash /scripts/renew-cassandra-certificates.sh

# Verify the new expiration date:
# Run the following script and check the output for 'cassandra-keystore' and 'cassandra-client'
python3 /scripts/check_certificates.py

    Certificate validity is defined in config.json (.clientCert.validityDays.default)

  2. From the Operator Machine:

    Restart the Cassandra pods to apply the changes:

    CODE 
    oc -n $NAMESPACE rollout restart statefulset <STATEFULSET_NAME>

Renewing Elasticsearch & Kibana Client Certificates

The ECK Operator manages Elasticsearch and Kibana client certificates using the CA certificate stored in the vid-ca-cert secret.

The certificate validity is configured in eck-operator-values.yaml under config.certificatesValidity, and is specified in hours (e.g., 24h). To apply any changes, update the values file and upgrade the ECK Operator Helm chart.

To renew the certificates:

  1. Delete the following secrets:

    • elasticsearch-dev-es-http-certs-internal

    • kibana-elasticsearch-dev-kb-http-certs-internal

  2. Wait approximately one minute for the new certificates to be applied.

    Service restart is NOT required.

  3. Verify the new expiration date:

    CODE 
    # Run the following script and check the output for 'elasticsearch-client' and 'kibana-client'
python3 /scripts/check_certificates.py
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close