Upload CA Certificates to NextGen Gateway

Overview

Adding custom CA certificates to the NextGen gateway is crucial for ensuring secure communication between the gateway and other components within your environment. Custom CA certificates allow you to establish trust between the gateway and the servers it interacts with. By adding these certificates, you enhance the overall security posture of your system, protect sensitive data, and prevent potential security vulnerabilities. This practice is essential to maintain the integrity of your communication channels and safeguard your network infrastructure.

Upload the CA certificates to NextGen Gateway

To upload the CA certificate, you need to generate the certificate locally first. After that, you can proceed to upload the locally issued certificate to both the gateway and vprobe service.

Step 1: Save the certificates in /root/custom-certs repository

Create a custom-certs folder within the /root/ directory.
```
mkdir -p /root/custom-certs
```
Change the current directory to /root/custom-certs.
```
cd /root/custom-certs
```
Save all the certificates to /root/custom-certs directory.
- If you already have certificates, save them with the ‘crt extension.
- If certificates are not available, see the document to know how to get them.

Note

Please make sure you save the certificates in all nodes.

Step 2: Upload the certificate to NextGen Gateway and OS (Ubuntu)

Once the certificates copying is completed then follow steps to upload it to the NextGen gateway and OS (Ubuntu).

Upload the CA Certificates to OS (Ubuntu)

Run the following commands to upload certificates to OS (Ubuntu).

sudo cp /root/custom-certs/*.crt /usr/local/share/

sudo update-ca-certificates

Note

Please make sure you upload all the certificates in all nodes.

Upload the Certificate to NextGen Gateway

Create a configmap using following command.

cd /root/

kubectl create configmap custom-certs --from-file=custom-certs -n <namespace>

If the gateway is already registered, use the following command to pull and update the helm chart.

helm pull oci://us-docker.pkg.dev/opsramp-registry/gateway-cluster-charts/nextgen-gw --version 1.6.0

helm upgrade nextgen-gw nextgen-gw-1.6.0.tgz -n <namespace>

If the gateway is not registered, see the document to register it and then proceed to step 2.

Note

If you already have certificates in your existing configmap and want to update them. The recommended approach is to first delete the existing configmap and then follow the above steps to upload the new certificates.