NSP TLS administration overview

Managing NSP TLS certificates

NSP TLS certificate renewal or replacement is required when:

• a certificate nears or reaches expiry

• a component is added to the NSP system

• an NSP component is replaced

• an NSP component address changes

• responding to a CA or algorithm compromise

Required NSP cluster certificates

An NSP cluster uses the following TLS certificates:

• Kubernetes infrastructure certificates, applied to:

  • Kubernetes registry

  • NSP deployer host

  • NSP cluster control plane

• issuer certificates, applied to:

  • internal NSP subsystem and service endpoints

  • external-facing NSP application endpoints

• server certificates, applied to:

  • NSP cluster gateway for client access

  • mediation interfaces

Storage in Kubernetes secrets

The NSP TLS artifacts are stored in Kubernetes secrets to prevent the exposure of high-risk security information. You use an NSP utility to manage the secrets and certificates in the secrets.

To show basic information about the installed secrets such as the namespaces and ages, see How do I list the NSP Kubernetes secrets?.

To show the content of each secret, see How do I view the Kubernetes secret content?.

Support for deprecated TLS versions

An external system such as an OSS client may use an older, deprecated TLS version. For compatibility with such a client, you can enable older TLS versions by setting the tlsv1ProtocolsEnabled parameter in the nsp-config.yml file.

TLS expiry notifications

The NSP checks the expiry date of a monitored TLS certificate during initialization, and every 24 hours thereafter. After an NSP TLS certificate expires, the NSP cluster continues to operate, but functions that depend on secure communication are unavailable.

When a certificate expires or approaches expiry, the NSP raises one of the following server or internal certificate alarms:

• Warning, if the certificate is to expire within 30 days of the current time

• Critical, if the certificate is to expire within 7 days of the current time

• Critical, if the certificate is expired

Note: The NSP raises one alarm per certificate.

Note: The alarms for internal or external NSP certificate expiry do not clear automatically.

Note: No alarm is raised for an expiring or expired NSP Kubernetes infrastructure certificate.

Note: The Days Remaining value in an expiry alarm is based on the number of complete 24-hour periods until the certificate expiry time. If fewer than 24 hours remain until expiry, the Days Remaining value is zero; however, the NSP does not raise an alarm about the certificate expiry until the next periodic check, 24 hours later.

How do I update the NSP issuer TLS artifacts? describes how to replace the internal TLS certificate, the external certificate, or both, in an NSP system.