Rotate the Server Certificate

The TimesTen Operator can rotate the server certificate.

In this example, assume you want to create a new server certificate. The root certificate does not change.

1. Concatenate the new server certificate, the original intermediate certificate, and the original root CA, making a full certificate chain.

   cat new_server.pem intermediate.pem root.pem > completeServer.pem

2. Combine the certificates with the server's private key to create a PKCS#12 file, protected with a password.

   openssl pkcs12 -export -in completeServer.pem -inkey privkey.pem -out server.p12 -passout pass:welcome1

3. Update the Kubernetes Secret. This Secret already exists in your namespace. See Import CA-Signed Certificates for Client/Server TLS Encryption.

   kubectl create secret generic tt-server-pfx-secret --from-file=server.p12 --dry-run=client -o yaml | kubectl apply -f -

The TimesTen Operator recognizes the Kubernetes Secret has changed and takes appropriate action to rotate the server certificate.