openshift-docs/modules/customize-certificates-replace-default-router.adoc

// Module included in the following assemblies:
//
// * security/certificates/replacing-default-ingress-certificate.adoc

:_mod-docs-content-type: PROCEDURE
[id="replacing-default-ingress_{context}"]
= Replacing the default ingress certificate

You can replace the default ingress certificate for all applications under the `.apps` subdomain. After you replace the certificate, all applications, including the web console and CLI, have encryption provided by the specified certificate.

.Prerequisites

* You must have a wildcard certificate for the fully qualified `.apps` subdomain and its corresponding private key. Each should be in a separate PEM format file.
* The private key must be unencrypted. If your key is encrypted, decrypt it before importing it into {product-title}.
* The certificate must include the `subjectAltName` extension showing `*.apps.<clustername>.<domain>`.
* The certificate file can contain one or more certificates in a chain. The file must list the wildcard certificate as the first certificate, followed by other intermediate certificates, and then ending with the root CA certificate.
* Copy the root CA certificate into an additional PEM format file.
* Verify that all certificates which include `-----END CERTIFICATE-----` also end with one carriage return after that line.

.Procedure

. Create a config map that includes only the root CA certificate that is used to sign the wildcard certificate:
+
[source,terminal]
----
$ oc create configmap custom-ca \
     --from-file=ca-bundle.crt=</path/to/example-ca.crt> \//<1>
     -n openshift-config
----
<1> `</path/to/example-ca.crt>` is the path to the root CA certificate file on your local file system. For example, `/etc/pki/ca-trust/source/anchors`.

. Update the cluster-wide proxy configuration with the newly created config map:
+
[source,terminal]
----
$ oc patch proxy/cluster \
     --type=merge \
     --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
----
+
[NOTE]
====
If you update only the trusted CA for your cluster, the MCO updates the `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt` file and the Machine Config Controller (MCC) applies the trusted CA update to each node so that a node reboot is not required. However, with these changes, the Machine Config Daemon (MCD) restarts critical services on each node, such as kubelet and CRI-O. These service restarts cause each node to briefly enter the `NotReady` state until the service is fully restarted.

If you change any other parameter in the `openshift-config-user-ca-bundle.crt` file, such as `noproxy`, the MCO reboots each node in your cluster.
====

. Create a secret that contains the wildcard certificate chain and key:
+
[source,terminal]
----
$ oc create secret tls <secret> \//<1>
     --cert=</path/to/cert.crt> \//<2>
     --key=</path/to/cert.key> \//<3>
     -n openshift-ingress
----
<1> `<secret>` is the name of the secret that will contain the certificate chain and private key.
<2> `</path/to/cert.crt>` is the path to the certificate chain on your local file system.
<3> `</path/to/cert.key>` is the path to the private key associated with this certificate.

. Update the Ingress Controller configuration with the newly created secret:
+
[source,terminal]
----
$ oc patch ingresscontroller.operator default \
     --type=merge -p \
     '{"spec":{"defaultCertificate": {"name": "<secret>"}}}' \//<1>
     -n openshift-ingress-operator
----
<1> Replace `<secret>` with the name used for the secret in the previous step.
+
[IMPORTANT]
====
To trigger the Ingress Operator to perform a rolling update, you must update the name of the secret.
Because the kubelet automatically propagates changes to the secret in the volume mount, updating the secret contents does not trigger a rolling update. For more information, see this link:https://access.redhat.com/solutions/4542531[Red{nbsp}Hat Knowledgebase Solution].
====