Re-issue internal certificates

Learn how to issue new certificates to the components of the StackRox Kubernetes Security Platform.

Each component of the StackRox Kubernetes Security Platform uses an X.509 certificate to authenticate itself to other components.

These certificates have expiration dates and you must re-issue them before they expire.

To re-issue certificates, you need write permission on the ServiceIdentity resource.

Central

Central uses a built-in server certificate for authentication when it communicates with other StackRox services. This certificate is unique to your Central installation.

Version 3.0.47 or newer

Starting from version 3.0.47 of the StackRox Kubernetes Security Platform, the StackRox portal shows an information banner when the Central certificate is about to expire.

The information banner only appears 15 days before the certificate expiry date.

To apply a new certificate:

  1. Select the link in the banner to download a YAML configuration file, which contains a new Kubernetes secret with the certificate and key values.

  2. Apply the new YAML configuration file to the cluster where you installed Central.

    Copy
    kubectl apply -f <secret-file>
    Copy
    oc apply -f <secret-file>
  3. Restart Central to apply changes.

    Copy
    kubectl -n stackrox exec deploy/central -c central -- kill 1
    Copy
    oc -n stackrox exec deploy/central -c central -- kill 1

Version 3.0.46 or older

In earlier versions, you can replace the Central certificate by running the replace-central-cert.sh script:

  1. Download the replace-central-cert.sh script.
  2. Make the replace-central-cert.sh script executable.
    Copy
    chmod +x replace-central-cert.sh
  3. Set ROX_ENDPOINT and ROX_PASSWORD in your environment.
    Copy
    export ROX_ENDPOINT=<address>:<port-number>
    export ROX_PASSWORD=<admin-password>
  4. Run the replace-central-cert.sh script.
    Copy
    ./replace-central-cert.sh

Scanner

Scanner has a built-in certificate that it uses to communicate with Central.

Version 3.0.47 or newer

Starting from version 3.0.47 of the StackRox Kubernetes Security Platform, StackRox portal shows an information banner when the Scanner certificate is about to expire.

The information banner only appears 15 days before the certificate expiry date.

To apply a new certificate:

  1. Select the link in the banner to download a YAML configuration file, which contains a new Kubernetes secret with the certificate and key values.

  2. Apply the new YAML configuration file to the cluster where you installed Scanner.

    Copy
    kubectl apply -f <secret-file>
    Copy
    oc apply -f <secret-file>
  3. Restart Scanner to apply changes.

    Copy
    kubectl delete po -n stackrox -l app=scanner
    Copy
    oc delete po -n stackrox -l app=scanner

Version 3.0.46 or older

  1. Generate a new Scanner bundle.

    Copy
    roxctl scanner generate
  2. Apply the new YAML configuration file (from the bundle) to the cluster where you installed Scanner.

    Copy
    kubectl apply -f scanner-bundle/scanner/tls-secret.yaml
    Copy
    oc apply -f scanner-bundle/scanner/tls-secret.yaml
  3. Restart Scanner to apply changes.

    Copy
    kubectl delete po -n stackrox -l app=scanner
    Copy
    oc delete po -n stackrox -l app=scanner

Secured clusters (Sensor, Collector, Admission Controller)

Sensor, Collector, and Admission Controller use certificates to communicate with each other, and with Central.

If you are using the StackRox Kubernetes Security Platform version 3.0.46 or newer, you can view the certificate expiry dates in the Platform Configuration > Clusters view.

Version 3.0.47 or newer

Starting from version 3.0.47 of the StackRox Kubernetes Security Platform, you can download a YAML configuration file from the portal or use automatic upgrades to replace the certificates.

To download the YAML configuration file:

  1. In the StackRox portal, select Platform Configuration > Clusters.

  2. In the Clusters view, select a Cluster to view its details.

  3. In the cluster details panel, either:

    • Select the link in the notification to download a YAML configuration file, which contains a new Kubernetes secret with the certificate and key values.

      The notification only appears 30 days before the certificate expiry date.

      1. Apply the new YAML configuration file to the cluster.

        Copy
        kubectl apply -f <secret-file>
        Copy
        oc apply -f <secret-file>
    • Or, select the link to apply credentials by using an automatic upgrade.

      When you apply an automatic upgrade, the StackRox Kubernetes Security Platform creates new credentials in the selected cluster. However, you’ll still see a notification. The notification goes away when each StackRox service begins using the new credentials after the service restarts.

Version 3.0.46 or older

  1. Download sensor bundles for existing clusters.

    • Either use the roxctl CLI and specify a cluster name or ID.
      Copy
      roxctl sensor get-bundle <cluster-name-or-id>
    • Or, download the bundle from the StackRox portal:
      1. Navigate to the Platform Configuration > Clusters view.
      2. In the Clusters view, select a Cluster to view its details.
      3. In the cluster details panel, select Next.
      4. Select Download YAML files and keys.
  2. Apply the new YAML configuration file to the cluster where you installed Scanner.

    Copy
    kubectl apply -f sensor-bundle/sensor/sensor-secret.yaml
    Copy
    oc apply -f sensor-bundle/sensor/sensor-secret.yaml

    Make sure that you apply the configuration for the same cluster for which you’ve downloaded the bundle.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.