Skip to content
Kong Summit 2022: Where API Innovation Runs Wild  —Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Konnect Cloud
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Kong Konnect Platform

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Request Demo
  • Kong Gateway
  • Konnect Cloud
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Kong Konnect Platform

  • Docs contribution guidelines
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Compatibility
    • Release Notes
    • Overview
    • Access a Konnect Account
    • Set up a Runtime
    • Configure a Service
    • Implement and Test the Service
      • Publish and Consume Services
      • Register Applications
    • Import Kong Gateway Entities into Konnect Cloud
    • Overview
      • Konnect Services
      • Service Versions
      • Service Implementations
      • Manage Service Documentation
      • Overview
      • Configure a Plugin on a Service
      • Configure a Plugin on a Route
    • Overview
      • Overview
      • Manage Runtime Groups with UI
      • Manage Runtime Groups with decK
      • Install with Docker
      • Install on Kubernetes
      • Install on Linux
      • Upgrade a Runtime Instance to a New Version
      • Renew Certificates
      • Runtime Parameter Reference
      • Overview
      • Runtime Configuration
    • Troubleshoot
    • Overview
    • Access the Dev Portal
    • Sign Up for a Dev Portal Account
      • Manage Developer Access
      • Manage Application Registration Requests
      • Manage Application Connections
      • Auto Approve Dev and App Registrations
      • Azure OIDC
      • Application Overview
      • Enable and Disable App Registration
      • Create, Edit, and Delete an Application
      • Register an Application with a Service
      • Generate Credentials for an Application
    • Customize Dev Portal
    • Troubleshoot
    • Introduction to Vitals
    • Overview Dashboard
    • Analyze Services and Routes
    • Generate Reports
      • Manage a Konnect Account or Plan
      • Change to a Different Plan
      • Manage Payment Methods and Invoices
      • Overview
        • Overview
        • Manage Teams and Roles
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Set up SSO with Okta
    • Account and Org Deactivation
    • Troubleshoot
    • Overview of Konnect
      • Access a Konnect Account
        • Manage a Konnect Account or Plan
        • Change to a Different Plan
        • Manage Payment Methods and Invoices
        • Manage Users and Roles
        • Set up SSO with Okta
      • Account and Org Deactivation
      • License Management
      • Port and Network Requirements
      • Network Resiliency and Availability
      • Migrate from Kong Gateway to Konnect Cloud
        • Set up a Runtime
        • Configure a Service
        • Implement and Test the Service
      • Manage Konnect Cloud with decK
      • Manage Services
        • Manage Service Documentation
        • Publish a Service to Dev Portal
        • Docker
        • Kubernetes
        • Linux
        • Runtime Parameter Reference
      • Upgrade a Runtime to a New Version
      • Renew Certificates
        • Developer Registration
        • Manage Developer Access
        • Auto Approve Dev and App Registrations
        • Application Overview
        • Create, Edit, and Delete an Application
        • Enable App Registration
        • Disable App Registration
        • Manage Application Registration Requests
        • Manage Application Connections
        • Register an Application with a Service
        • Generate Credentials for an Application
        • Appearance
        • Public Portal
        • Add a Custom Domain
      • Generating Vitals Reports
      • Configure a Plugin on a Service
      • Configure a Plugin on a Route
      • Configure Global or Consumer Plugins
    • Shared Config
      • Proxy Traffic

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Quick setup
  • Advanced setup
    • Generate new certificates
    • Update data plane
Konnect Cloud
  • Home
  • Konnect Cloud
  • Legacy
  • Runtime manager

(Legacy) Renew certificates for a runtime

This documentation is for the legacy Konnect environment at konnect.konghq.com. For the cloud.konghq.com environment, see the current Konnect documentation.

Runtime certificates generated by Konnect Cloud expire every six (6) months.

Renew your certificates to prevent any interruption in communication between Konnect Cloud and any configured runtimes (data planes). If a certificate expires and is not replaced:

  • The runtime stops receiving configuration updates from the control plane.
  • The runtime stops sending Vitals and usage data to the control plane.
  • Each disconnected runtime uses cached configuration to continue proxying and routing traffic.

Depending on your setup, renewing certificates might mean bringing up a new data plane, or generating new certificates and updating data planes with the new files.

Quick setup

If you originally created your data plane container using the quick setup Docker script, we recommend running the script again to create a new data plane with renewed certificates.

  1. Stop the data plane container.
  2. Open Runtime Manager and click Configure New Runtime.
  3. Run the script again to create a new data plane with updated certificates.
  4. Remove the old data plane container.

Advanced setup

If your data planes are running on Linux or Kubernetes, or if you have a Docker data plane container that was not created using the quick setup script, generate new certificates and replace them on the existing nodes.

Generate new certificates

  1. Open Runtime Manager and click Configure New Runtime.
  2. Open the tab that suits your environment: Linux or Kubernetes.

    If you’re running a Docker container, you can use either of these tabs to complete the following steps.

  3. Click Generate Certificate.
  4. Save the new certificates and key into separate files:

    • Certificate: tls.crt
    • Private key: tls.key
    • Root CA Certificate: ca.crt
  5. Store the files on your runtime’s local filesystem.

Update data plane

Linux
Kubernetes
Docker

Open your instance’s kong.conf file. Replace existing certificates with the new files:

cluster_cert = /
{PATH_TO_FILE}
/tls.crt cluster_cert_key = /
{PATH_TO_FILE}
/tls.key lua_ssl_trusted_certificate = system,/
{PATH_TO_FILE}
/ca.crt

Restart Kong Gateway for the settings to take effect:

kong restart

Clean up by deleting any old certificate and key files on your filesystem.

Create new secrets for the certificates and key, making sure to name them something different from your current secret names.

  1. Create a tls secret using the tls.cert and tls.key files you saved earlier:

    kubectl create secret tls kong-cluster-cert2 -n kong \
       --cert=/
    {PATH_TO_FILE}
    /tls.crt \ --key=/
    {PATH_TO_FILE}
    /tls.key
  2. Create a generic secret for the ca.crt file:

    kubectl create secret generic kong-cluster-ca2 -n kong \
       --from-file=ca.crt=/
    {PATH_TO_FILE}
    /ca.crt
  3. Open the values.yaml file for your data plane and update it to point to the new secrets.

    Update the secretVolumes section:

     secretVolumes:
     - kong-cluster-cert2
     - kong-cluster-ca2
    

    Update the cert values in the env section:

     env:
       cluster_ca_cert: /etc/secrets/kong-cluster-ca2/ca.crt
       cluster_cert: /etc/secrets/kong-cluster-cert2/tls.crt
       cluster_cert_key: /etc/secrets/kong-cluster-cert2/tls.key
       lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-ca2/ca.crt
    
  4. Save the file. Reapply the configuration by running the Helm upgrade command:

     helm upgrade my-kong kong/kong -n kong \
       --values ./values.yaml
    
  5. Delete the old secrets.

    The kong-cluster-cert secret:

     kubectl delete secret kong-cluster-cert
    

    And the kong-cluster-ca secret:

     kubectl delete secret kong-cluster-ca
    

In your Docker container, replace existing certificates on your data planes with the new files and restart the Gateway:

echo "KONG_CLUSTER_CERT=/
{PATH_TO_FILE}
/tls.crt \ KONG_CLUSTER_CERT_KEY=/
{PATH_TO_FILE}
/tls.key \ KONG_LUA_SSL_TRUSTED_CERTIFICATE=/
{PATH_TO_FILE}
/ca.crt \ kong reload exit" | docker exec -i
{KONG_CONTAINER_ID}
/bin/sh

Clean up by deleting any old certificate and key files on your filesystem.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2022