Renew Certificates for a Runtime Instance
Runtime certificates generated by Kong Konnect expire every ten years. If you bring your own certificates, make sure to monitor the expiration date.
Renew your certificates to prevent any interruption in communication between Kong Konnect and any configured runtimes, or data planes. If a certificate expires and is not replaced:
- The runtime instance stops receiving configuration updates from the control plane.
- The runtime instance stops sending analytics and usage data to the control plane.
- Each disconnected runtime instance uses cached configuration to continue proxying and routing traffic.
Depending on your setup, renewing certificates might mean bringing up a new data plane, or generating new certificates and updating data planes with the new files.
Quick setup
If you originally created your runtime instance container using the quick setup Docker script, we recommend running the script again to create a new instance with renewed certificates.
- Stop the runtime instance container.
- Open
Runtime Manager, select a runtime group, and click New Runtime Instance.
- Run the script again to create a new runtime instance with updated certificates.
- Remove the old runtime instance container.
Advanced setup
If your runtime instances are running on Linux or Kubernetes, or if you have a Docker container that was not created using the quick setup script, you must generate new certificates and replace them on the existing nodes.
Generate new data plane certificate
You can generate a new data plane certificate from the Runtime Manager.
- Select a runtime instance
- Click Runtime group actions and select Data plane certificates.
-
Click Generate certificate.
-
Save the new certificate and key into separate files:
- certificate:
tls.crt
- private key:
tls.key
- certificate:
- Store the files on the local file system.