Overview
Information about renewing internal certificates for another year before they are set to expire.
Catalyst Center uses a number of certificates, such as the ones generated by Kubernetes and the ones used by Kong and Credential Manager Services. These certificates are valid for one year, which starts as soon as you install your cluster. Catalyst Center automatically renews these internal certificates for another year before they are set to expire.
-
We recommend that you renew internal certificates before they expire, not after.
-
You can only renew internal certificates that are set to expire up to 100 days from now. This procedure does not do anything to certificates that will expire later than that.
-
The script refreshes only self-signed certificates, not third-party/certificate authority (CA)-signed certificates. For third-party/CA-signed certificates, the script updates the internal certificates used by Kubernetes and the Credential Manager.
-
For self-signed certificates, the renewal process does not require you to push certificates back out to devices, because the root CA is unchanged.
-
The term cluster applies to both single-node and three-node Catalyst Center setups.
Procedure
| 1. | Ensure that each cluster node is healthy and not experiencing any issues. |
|
| 2. | To view a list of the certificates that are currently used by that node and their expiration date, enter this command: |
|
| 3. | Renew the internal certificates that are set to expire soon by entering this command: |
|
| 4. | Repeat the preceding steps for the other cluster nodes. |
|
| 5. | For utility help, enter: |