Managing KUMA web console certificates in a high availability configuration

Modifying the self-signed web console certificate

To replace the self-signed KUMA web console certificate with your corporate certificate:

1. Connect to the primary controller of the cluster via ssh:

   ssh <user name>@<FQDN of the primary controller>

2. Go to the home directory of the user or create a new directory for subsequent operations and go to it.
3. Back up the current certificate and key to the current directory on the cluster controller:

   export POD=$(k0s kubectl get pods --namespace kuma -l "app=core" -o jsonpath="{.items[0].metadata.name}")

   sudo k0s kubectl cp --no-preserve -c core kuma/$POD:/opt/kaspersky/kuma/core/certificates/external.cert ./external.cert.old

   sudo k0s kubectl cp --no-preserve -c core kuma/$POD:/opt/kaspersky/kuma/core/certificates/external.key ./external.key.old

4. Prepare the custom certificate and key that you want to use as replacement.

   In OpenSSL, convert the PFX file to a certificate and an encrypted key in PEM format:

   sudo openssl pkcs12 -in kumaWebIssuedByCorporateCA.pfx -nokeys -out external.cert

   sudo openssl pkcs12 -in kumaWebIssuedByCorporateCA.pfx -nocerts -nodes -out external.key

   When carrying out the command, you are required to specify the PFX key password (Enter Import Password).

   As a result, the external.cert certificate and the external.key in PEM format are returned.

5. Place the obtained 'external.cert' certificate file and 'external.key' key file in the current directory on the cluster controller and then copy them to the file system of the KUMA Core pod:

   export POD=$(k0s kubectl get pods --namespace kuma -l "app=core" -o jsonpath="{.items[0].metadata.name}")

   sudo k0s kubectl cp --no-preserve ./external.cert kuma/$POD:/opt/kaspersky/kuma/core/certificates/external.cert -c core

   sudo k0s kubectl cp --no-preserve ./external.key kuma/$POD:/opt/kaspersky/kuma/core/certificates/external.key -c core

6. Restart the KUMA Core:

   sudo k0s kubectl rollout restart deployment/core-deployment -n kuma

7. Refresh the web page or restart the browser hosting the KUMA web interface.

The self-signed certificate of the web console is replaced with your corporate certificate.

Rolling back the changes

To roll back the changes you made and return to using the previous certificate and key:

1. Go to the home directory of the user on the primary controller and run the following commands:

   sudo export POD=$(k0s kubectl get pods --namespace kuma -l "app=core" -o jsonpath="{.items[0].metadata.name}")

   sudo k0s kubectl cp --no-preserve ./external.cert.old kuma/$POD:/opt/kaspersky/kuma/core/certificates/external.cert -c core

   sudo k0s kubectl cp --no-preserve ./external.key.old kuma/$POD:/opt/kaspersky/kuma/core/certificates/external.key -c core

2. Restart the KUMA Core:

   sudo k0s kubectl rollout restart deployment/core-deployment -n kuma

3. Refresh the web page or restart the browser hosting the KUMA web interface.

The changes are rolled back and the previous certificate and key of the web console are being used.