NSP TLS administration overview
Managing NSP TLS certificates
NSP TLS certificate renewal or replacement is required when:
Required NSP cluster certificates
An NSP cluster uses the following TLS certificates:
-
Kubernetes infrastructure certificates, applied to:
-
issuer certificates, applied to:
-
server certificates, applied to:
Storage in Kubernetes secrets
The NSP TLS artifacts are stored in Kubernetes secrets to prevent the exposure of high-risk security information. You use an NSP utility to manage the secrets and certificates in the secrets.
To show basic information about the installed secrets such as the namespaces and ages, see How do I list the NSP Kubernetes secrets?.
To show the content of each secret, see How do I view the Kubernetes secret content?.
Support for deprecated TLS versions
An external system such as an OSS client may use an older, deprecated TLS version. For compatibility with such a client, you can enable older TLS versions by setting the tlsv1ProtocolsEnabled parameter in the nsp-config.yml file.
TLS expiry notifications
The NSP checks the expiry date of a monitored TLS certificate during initialization, and every 24 hours thereafter. After an NSP TLS certificate expires, the NSP cluster continues to operate, but functions that depend on secure communication are unavailable.
When a certificate expires or approaches expiry, the NSP raises one of the following server or internal certificate alarms:
-
Warning, if the certificate is to expire within 30 days of the current time
-
Critical, if the certificate is to expire within 7 days of the current time
Note: The NSP raises one alarm per certificate.
Note: The alarms for internal or external NSP certificate expiry do not clear automatically.
Note: No alarm is raised for an expiring or expired NSP Kubernetes infrastructure certificate.
Note: The Days Remaining value in an expiry alarm is based on the number of complete 24-hour periods until the certificate expiry time. If fewer than 24 hours remain until expiry, the Days Remaining value is zero; however, the NSP does not raise an alarm about the certificate expiry until the next periodic check, 24 hours later.
How do I update the NSP issuer TLS artifacts? describes how to replace the internal TLS certificate, the external certificate, or both, in an NSP system.