How To replace OOB Certificate (in CDF and suite)

  • KM03173874
  • 07-Jun-2018
  • 08-Aug-2018


We need to replace the certificate on the CDF nginx, but we are not able to fin the instructions in the documentation.


The help server explain how to replace the OOB certificates to put customer's certificates instead:

However, here are more detailed steps that will be helpful to fully achieve this


First of all, you have to get the costumer’s certificate as the documentation says.

Steps for replacing the certificate:
1.- Replace the certificate for the suite:
• Extract and save a backup of the OOTB Nginx certificate and private key. Execute the following command:
kubectl get secret nginx-itsma-secret -n <your_itsma_deployment> -o yaml > nginx-itsma-secret_oob.yaml
• Set the server certificate and private key as base64. Copy the results of these commands in a notepad:
o base64 -w 0 <your_server_certificate>.crt > tls_base64.crt
o base64 -w 0 <your_private>.key > Private_Key_base64.crt
Note** Change the server certificate if it has 2/3 levels. You only need the first part of the server certificate (first begin-end section including begin and end headers).
• Change the Nginx certificate and private key.
o Execute: “kubectl edit secret nginx-itsma-secret -n <your_itsma_deployment> -o yaml”
 Replace the “tls.crt” value for your new base64 server certificate value
 Replace the “tls.key” value for your new base64 private key value
• Restart the itom-nginx-ingress-deployment pods.
• Check your service portal, propel admin and Service Manager web pages are secure.

2.- Replace the certificate for CDF:
• Backup your OOTB CDF Certificate
o Execute the following commands:
kubectl get secret nginx-default-secret -n core -o yaml> nginx-default-secret-oob.yaml
kubectl get secret itom-cdf-ingress-frontend-secret -n core -o yaml> itom-cdf-ingress-frontend-secret-oob.yaml
• Check your certificates and private key.
o Upload your server certificate, private key and root certificate in “/opt/kubernetes/scripts” path into the master node
o Upload and Replace the certCheck file (attached) in “/opt/kubernetes/scripts” into the master node. Do a backup from the existing one.
o Check your certificates executing:
./certCheck  -ca ./test_root_2.crt  -key ./tls.key  -cert ./tls_bk.crt -host –debug
The result must be:
Note** If your root certificate have two begin-end sections. You have to remove the first one.
• You are ready to replace the certificates and private key from Administrator UI.
https://<your_url>:5443. Go to Administration  Certificates. Select your files and click on “Update”.
• Check you CDF Certificate closing and opening a new web browser for
https://<your_url>:5443. It should be “secure”.