Procedure for renewing TLS certificates on Kubernetes

This page describes the procedure for renewing TLS certificates generated by Helm for internal communication between Cyberwatch services.

Default validity period

Helm automatically generates TLS certificates to secure internal communication between services (database, Redis, Elasticsearch, etc.).

The default validity periods are:

  • Service certificates: 365 days (1 year)
  • Certificate Authority (CA) certificate: 3650 days (10 years)

These certificates are stored in Kubernetes secrets. Helm only regenerates a certificate if the corresponding secret does not already exist in the cluster (lookup mechanism).

Service certificates must be renewed before they expire to avoid communication disruptions between services.

Checking certificate expiration dates

List TLS secrets and display their expiration dates:

for secret in $(kubectl -n cyberwatch get secrets -o jsonpath='{.items[?(@.type=="kubernetes.io/tls")].metadata.name}'); do
  enddate=$(kubectl -n cyberwatch get secret "$secret" -o jsonpath='{.data.tls\.crt}' | \
    base64 -d | openssl x509 -noout -enddate | cut -d= -f2)
  printf "%-30s %s\n" "$secret" "$enddate"
done

For the CA certificate (stored under a different key):

kubectl -n cyberwatch get secret cyberwatch-root-ca -o jsonpath='{.data.root-ca\.crt}' | \
  base64 -d | openssl x509 -noout -enddate

Renewing service certificates

To force certificate regeneration, delete the existing secrets then run helm upgrade.

  1. Identify the certificate secrets to renew using the verification command above.

  2. Delete the identified secrets, for example:

    kubectl -n cyberwatch delete secret <secret-1> <secret-2> ...

    Some TLS secrets are not automatically renewed by Helm (for example cyberwatch-tls). These secrets must be recreated manually. See the TLS configuration documentation for Kubernetes for more information.

  3. Follow the image update procedure to redeploy with Helm and renew the certificates.

  4. The command for checking certificate expiration dates can be run again to confirm the certificates have been successfully renewed.

Renewing the CA certificate

Renewing the CA invalidates all service certificates signed by it. All certificate secrets must be deleted and recreated.

  1. Delete the CA secret as well as all service certificate secrets.

  2. Follow steps 2 to 4 of the service certificate renewal procedure above.

Back to top

English Français Español