Manage Mission Control certificate and certificate authority (CA) expiration

Certificates enable secure communication and establish trust between different components. Certificates expire after a set period, requiring renewal to maintain system security.

For more information about certificates and CAs in Mission Control, see Internode encryption.

Prerequisites

A running Mission Control cluster
kubectl command-line tool installed and configured
Administrative access to your Kubernetes cluster
Understanding of your organization’s certificate policies

Configure certificate expiration

Mission Control sets default certificate expiration to 20 years for:

Root CA
Internode certificates
Client to node certificates, cql-router
Management API certificates

Complete the post-upgrade steps to rotate the CA and each node’s certificate in a rolling fashion for all existing DSE clusters before upgrading to Mission Control version 1.9.0. See the 1.9.0 release notes for details.

Configure certificate duration using the certTemplate field in the MissionControlCluster custom resource definition (CRD). See crd-reference:missioncontrolcluster-v1.9.0.adoc#missioncontrolcluster-spec-encryption-internodeencryption-certs-certtemplate for more information.

Mission Control keeps only the new certificates in the keystore to ensure that all outgoing connections use updated credentials.

During the transition, the truststore maintains both old and new CAs to allow interoperability across nodes using different certificates.

After all nodes begin using the new certificates, Mission Control triggers the rotate internode certificates bulk action to remove the old CA from truststores and keystores.

To configure the expiration of the Mission Control certificate and CA:

Open the MissionControlCluster resource file.

Update the certTemplate field in the spec section:

...
spec:
  encryption:
    internodeEncryption:
      certs:
        certTemplate:
          duration: "175200h" # 20 years in hours
          renewBefore: "720h" # Renew 30 days before expiration
...

Update the duration and renewBefore values in the certTemplate spec section as needed. Use the duration field to set the certificate’s lifetime and the renewBefore field to set when renewal should begin before expiration.
Save your changes to the MissionControlCluster CR file.
Apply the changes:
```
kubectl apply -f MISSION_CONTROL_CLUSTER.yaml
```
Replace MISSION_CONTROL_CLUSTER.yaml with the name of your MissionControlCluster resource file.
Verify that the system created the new certificates:
```
kubectl get secrets -n mission-control
```

Verify that the system created the new Certificate resource:

kubectl get certificate -n mission-control

Result

NAME                                              READY   SECRET                                                   AGE
mission-control-cass-operator-serving-cert        True    mission-control-cass-operator-webhook-server-cert        452d
mission-control-k8ssandra-operator-serving-cert   True    mission-control-k8ssandra-operator-webhook-server-cert   452d
mission-control-serving-cert                      True    mission-control-webhook-server-cert                      452d
mission-control-ui-cert                           True    mission-control-ui-cert                                  318d

Verify that the system created the new Issuer resource:

kubectl get issuer -n mission-control

Result

NAME                                                   READY   AGE
mission-control-cass-operator-selfsigned-issuer        True    452d
mission-control-k8ssandra-operator-selfsigned-issuer   True    452d
mission-control-selfsigned-issuer                      True    452d

Verify that the system created the new CertificateRequest resource:
```
kubectl get certificaterequest -n mission-control
```

Recover from certificate expiration

When the certificates expire, Mission Control cannot establish secure communication between the components, and your clusters are unavailable.

To recover from certificate expiration, follow these steps:

Stop the datacenter by setting stopped to true in the MissionControlCluster resource:

apiVersion: missioncontrol.datastax.com/v1
kind: MissionControlCluster
metadata:
  name: CLUSTER_NAME
  namespace: PROJECT_SLUG
spec:
  k8ssandra:
    cassandra:
      datacenters:
        - name: DATACENTER_NAME
          stopped: true

Replace the following:

CLUSTER_NAME: The namespace of your cluster
PROJECT_SLUG: The namespace of your project
DATACENTER_NAME: The name of your datacenter

Apply the changes:
```
kubectl apply -f MISSION_CONTROL_CLUSTER.yaml
```
Replace MISSION_CONTROL_CLUSTER.yaml with the name of your MissionControlCluster resource file.
Verify that the datacenter is stopped:
```
kubectl get pods -n PROJECT_SLUG | grep DATACENTER_NAME
```
Replace the following:
- PROJECT_SLUG: The namespace of your project
- DATACENTER_NAME: The name of your datacenter.

Delete the certificates for the cluster:

kubectl delete secret -n mission-control \
  CLUSTER_NAME-DATACENTER_NAME-internode-client-cert \
  CLUSTER_NAME-DATACENTER_NAME-internode-server-cert \
  CLUSTER_NAME-DATACENTER_NAME-client-cert \
  CLUSTER_NAME-DATACENTER_NAME-management-api-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-client-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-server-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-management-api-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-client-management-api-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-server-management-api-cert

Replace the following:

CLUSTER_NAME: The name of your cluster
DATACENTER_NAME: The name of your datacenter

Verify that the system deleted the secrets:
```
kubectl get secrets -n mission-control
```
Delete any remaining secrets related to the expired certificates:
```
kubectl delete secret SECRET_NAME -n PROJECT_SLUG
```
Replace the following:
- SECRET_NAME: The name of the secret related to the expired certificates
- PROJECT_SLUG: The name of your project
Delete the Certificate resource:
```
kubectl delete certificate -n PROJECT_SLUG cluster-certificate
```
Replace PROJECT_SLUG with the namespace of your project.
Verify that the system deleted the Certificate resource:
```
kubectl get certificate -n mission-control
```
Update the MissionControlCluster object to restart the datacenter:
```
apiVersion: missioncontrol.datastax.com/v1
kind: MissionControlCluster
metadata:
  name: CLUSTER_NAME
  namespace: PROJECT_SLUG
spec:
    stopped: false
```
Replace the following:
- CLUSTER_NAME: The name of your cluster
- PROJECT_SLUG: The namespace of your project
Apply the changes:
```
kubectl apply -f MISSION_CONTROL_CLUSTER.yaml
```
Replace mission-control-cluster.yaml with the name of your MissionControlCluster resource file.

Applying the update triggers a reconciliation and creates new certificates.
Verify that Mission Control created the new certificates:
```
kubectl get secrets -n mission-control
```
Verify that Mission Control recreated the secrets:
```
kubectl describe secret -n mission-control
```
Verify that the datacenter is running:
```
kubectl get pods -n PROJECT_SLUG | grep DATACENTER_NAME
```
Replace the following:
- PROJECT_SLUG: The namespace of your project
- DATACENTER_NAME: The name of your datacenter

Example: Certificate Template Configuration

spec:
  encryption:
    internodeEncryption:
      certs:
        certTemplate:
          # Set duration to 2 years
          duration: "17520h"  # 2 years in hours
          # Start renewal process 30 days before expiration
          renewBefore: "720h" # 30 days in hours
          # Additional security settings
          keySize: 4096      # RSA key size

Manage Mission Control certificate and certificate authority (CA) expiration

Prerequisites

Configure certificate expiration

Recover from certificate expiration

Was this helpful?

Give Feedback