OMT Change Certificate from Self-Signed to CA-Signed

Hi there,

To begin with, I have successfully deployed OMT for one control node and three worker nodes, and I have a question regarding the certificates.

I am here quoting from the documentation in Communication between OMT and external services:

"The ingress controller is a Kubernetes component that manages incoming requests to services in the Kubernetes cluster. For example, users connect to AppHub by using a web browser. Certificates for the ingress controller can come from a self-signed certificate authority (CA) in OMT, or you can provide them yourself. By default, the CA in OMT generates the ingress controller certificates, unless you upload your own during installation. However, if you don't upload your own certificates, browsers may display an "insecure connection" warning when connecting to OMT. OMT requires the server certificate, server key, and CA certificate for the ingress controller."

But there is no mention of going from a self-signed certificate to a CA-signed (customer's) one.

My question is:

Is it possible to change the self-signed certificate to a CA-signed (customer's) one after the OMT is successfully deployed?

1. If yes, should I follow through by checking and renewing the certificate mentioned in Renew customer provided ingress controller certificates with the customer's CA-signed certificate?

2. If not, what should be done in this situation?

Thanks

Tags:

  • 0  

    Hello,

    To answer your question the first option is correct. you should use the Renew customer provifed ingress controller certificate document to configure the CA certificates.


    Gwendolyne Maroto Artavia

    OpenText NNM Support 

    Although I am an OpenText employee, I am speaking for myself and not for OpenText.
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button.

  • Verified Answer

    +1  

    Hello

     Yes, certificates can be updated after the fact, the documentation link you provided also states that this procedure can be used to replace the OMT self-signed certificates with your custom certificates as we can see on the following image:

    You just need to make sure that your custom signed certificate meets all the requirements listed on the Check Certificate Requirements section and follow the procedure to update the deployment information with the new certificates.

    As for the generation of the certificate, you need to create a CSR or Certificate Signing Request that contains all the data needed this can be done using openSSL or a tool like the DigiCert utility tool that allows you to create CSRs, then get the request signed by the authority of your choice, export the certificate files on the supported format and follow the documentation to upload them to the system.

    OpenText Ops Bridge Suite Support 

    Although I am an OpenText employee, I am speaking for myself and not for OpenText.
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button.