How do I update the NSP issuer TLS artifacts?
Purpose
![]() |
CAUTION Potential Service Disruption |
Updating the TLS artifacts requires that you stop and restart each NSP cluster, which is potentially service-affecting.
Ensure that you perform the procedure only during a scheduled maintenance window under the guidance of technical support.
Perform this procedure to replace the internal or external TLS keys or certificates, as may be required when a certificate nears or reaches expiry, or as required by your company security policy.
Note: release-ID in a file path has the following format:
R.r.p-rel.version
where
R.r.p is the NSP release, in the form MAJOR.minor.patch
version is a numeric value
Steps
1 |
Perform Step 5 to Step 10 in the standalone or primary data center. |
2 |
If the NSP deployment is DR, perform Step 5 to Step 10 in the standby data center. |
3 |
Perform Step 11 to Step 13 in the standalone or primary data center. |
4 |
If the NSP deployment is DR, perform Step 11 to Step 13 in the standby data center. |
5 |
Open a terminal session to the NSP deployer VM. |
6 |
Log in as the root or NSP admin user. |
7 |
Stop the NSP cluster. Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member: nspdeployerctl --ask-pass uninstall --undeploy
|
8 |
To replace the internal NSP issuer CA certificate/key pair, enter the following: # ./nspdeployerctl secret -s ca-key-pair-internal-nspdeployer -n "*" -f tls.key=key_file -f tls.crt=cert_file update ↵ where key_file is the full path and name of the TLS key file cert_file is the full path and name of the TLS certificate file Messages like the following are displayed: tls.crt=key_file update secret/ca-key-pair-internal-nspdeployer patched secret/ca-key-pair-internal-nspdeployer patched secret/ca-key-pair-internal-nspdeployer patched The following files may contain sensitive information. They are no longer required by NSP and may be removed. key_file cert_file |
9 |
To replace the external NSP issuer CA certificate/key pair, enter the following: # ./nspdeployerctl secret -s ca-key-pair-external-nspdeployer -n "*" -f tls.key=key_file -f tls.crt=cert_file update ↵ where key_file is the full path and name of the TLS CA private key file cert_file is the full path and name of the TLS CA certificate file Messages like the following are displayed: tls.crt=key_file update secret/ca-key-pair-external-nspdeployer patched secret/ca-key-pair-external-nspdeployer patched secret/ca-key-pair-external-nspdeployer patched The following files may contain sensitive information. They are no longer required by NSP and may be removed. key_file cert_file |
10 |
Back up the Kubernetes secrets.
|
11 |
Enter the following to start the NSP cluster: Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the nspdeployerctl command, as shown in the following example, and are subsequently prompted for the root password of each cluster member: nspdeployerctl --ask-pass install --config –-deploy # ./nspdeployerctl install --config –-deploy ↵ The NSP cluster starts, and the configuration update is put into effect. |
12 |
To delete the local certificate and key files on an NSP deployer VM, enter the following for each file identified for removal in Step 8 and Step 9: # rm file ↵ where file is one of the following: |
13 |
Perform the following as required to update the TLS artifacts on each NSP component deployed outside the NSP cluster:
End of steps |