Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Compatibility
    • Stages of Software Availability
    • Release Notes
      • Control Plane Upgrades FAQ
      • Supported Installation Options
    • Overview
    • Access a Konnect Account
    • Set up a Runtime
    • Configure a Service
    • Implement and Test the Service
      • Publish and Consume Services
      • Register Applications
    • Import Kong Gateway Entities into Konnect
    • Overview
      • Overview
      • Dashboard
      • Manage Runtime Groups with UI
      • Manage Runtime Groups with decK
      • Installation Options
      • Install with Docker
      • Install on Kubernetes
      • Install on Linux
      • Install on AWS
      • Install on Azure
      • Upgrade a Runtime Instance to a New Version
      • Renew Certificates
      • Runtime Parameter Reference
    • Create Consumer Groups
      • Overview
      • Set Up and Use a Vault in Konnect
    • Kong Gateway Configuration in Konnect
    • Plugin Ordering Reference
    • Troubleshoot
    • Overview
    • Manage Service Documentation
      • Overview
      • Configure a Plugin on a Service
      • Configure a Plugin on a Route
    • Overview
    • Access the Dev Portal
    • Sign Up for a Dev Portal Account
      • Manage Developer Access
      • Manage Application Registration Requests
      • Manage Application Connections
      • Auto Approve Dev and App Registrations
      • Azure OIDC
      • Application Overview
      • Enable and Disable App Registration
        • Overview
        • Okta
        • Curity
        • Auth0
      • Create, Edit, and Delete an Application
      • Register an Application with a Service
      • Generate Credentials for an Application
    • Customize Dev Portal
    • Troubleshoot
    • Introduction to Analytics
    • Analyze Services and Routes
    • Reports Use Cases
    • Reports Reference
    • Troubleshoot
      • Manage a Konnect Account or Plan
      • Change to a Different Plan
      • Manage Payment Methods and Invoices
      • Overview
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Manage System Accounts
      • Set up SSO with OIDC
      • Set up SSO with Okta
      • Login Sessions Reference
    • Account and Org Deactivation
    • Troubleshoot
    • Overview
      • API Documentation
      • Identity Integration Guide
      • API Documentation
      • API Documentation
      • Portal RBAC Guide
      • Overview
      • Nodes
      • Data Plane Certificiates
        • Services
        • Routes
        • Consumers
        • Plugins
        • Upstreams
        • Certificates
        • CA Certificates
        • SNIs
        • Targets
        • Vaults
      • API Spec
      • Filtering
    • Labels

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Quick setup
  • Advanced setup
    • Generate new data plane certificate
    • Update data plane
Kong Konnect
  • Home
  • Kong Konnect
  • Runtime Manager
  • Runtime Instances
  • Renew Certificates for a Runtime Instance

Renew Certificates for a Runtime Instance

Runtime certificates generated by Kong Konnect expire every ten years. If you bring your own certificates, make sure to monitor the expiration date.

Renew your certificates to prevent any interruption in communication between Kong Konnect and any configured runtimes, or data planes. If a certificate expires and is not replaced:

  • The runtime instance stops receiving configuration updates from the control plane.
  • The runtime instance stops sending analytics and usage data to the control plane.
  • Each disconnected runtime instance uses cached configuration to continue proxying and routing traffic.

Depending on your setup, renewing certificates might mean bringing up a new data plane, or generating new certificates and updating data planes with the new files.

Quick setup

If you originally created your runtime instance container using the quick setup Docker script, we recommend running the script again to create a new instance with renewed certificates.

  1. Stop the runtime instance container.
  2. Open runtimes icon Runtime Manager, select a runtime group, and click New Runtime Instance.
  3. Run the script again to create a new runtime instance with updated certificates.
  4. Remove the old runtime instance container.

Advanced setup

If your runtime instances are running on Linux or Kubernetes, or if you have a Docker container that was not created using the quick setup script, you must generate new certificates and replace them on the existing nodes.

Generate new data plane certificate

You can generate a new data plane certificate from the runtimes icon Runtime Manager.

  1. Select a runtime instance
  2. Click Runtime group actions and select Data plane certificates.
  3. Click Generate certificate.

  4. Save the new certificate and key into separate files:

    • certificate: tls.crt
    • private key: tls.key
  5. Store the files on the local file system.

Update data plane

Linux
Kubernetes
Docker

Open your instance’s kong.conf file. Replace existing certificates with the new files:

cluster_cert = /{PATH_TO_FILE}/tls.crt
cluster_cert_key = /{PATH_TO_FILE}/tls.key

Restart Kong Gateway for the settings to take effect:

kong restart

Delete any old certificate and key files on your filesystem.

Create new secrets for the certificates and key, making sure to name them something different from the current secret names.

  1. Create a tls secret using the tls.cert and tls.key files you saved earlier:

     kubectl create secret tls kong-cluster-cert2 -n kong \
       --cert=/PATH_TO_FILE/tls.crt \
       --key=/PATH_TO_FILE/tls.key
    
  2. Open the values.yaml file for your runtime instance and update it to point to the new secrets.

    Update the secretVolumes section:

     secretVolumes:
     - kong-cluster-cert2
    

    Update the cert values in the env section:

     env:
       cluster_cert: /etc/secrets/kong-cluster-cert2/tls.crt
       cluster_cert_key: /etc/secrets/kong-cluster-cert2/tls.key
    
  3. Save the file. Reapply the configuration by running the Helm upgrade command:

     helm upgrade my-kong kong/kong -n kong \
       --values ./values.yaml
    
  4. Delete the old kong-cluster-cert secret:

     kubectl delete secret kong-cluster-cert
    

In your Docker container, replace any existing certificates on your runtime instances with the new files and restart the Gateway:

echo "KONG_CLUSTER_CERT=/{PATH_TO_FILE}/tls.crt \
  KONG_CLUSTER_CERT_KEY=/{PATH_TO_FILE}/tls.key \
  kong reload exit" | docker exec -i {KONG_CONTAINER_ID} /bin/sh

Delete any old certificate and key files on your filesystem.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023