Manage Mission Control certificate and certificate authority (CA) expiration

Certificates enable secure communication and establish trust between different components. Certificates expire after a set period, requiring renewal to maintain system security.

For more information about certificates and CAs in Mission Control, see Internode encryption.

Prerequisites

  • A running Mission Control cluster

  • kubectl command-line tool installed and configured

  • Administrative access to your Kubernetes cluster

  • Understanding of your organization’s certificate policies

Configure certificate expiration

Mission Control sets default certificate expiration to 20 years for:

  • Root CA

  • Internode certificates

  • Client to node certificates, cql-router

  • Management API certificates

Complete the post-upgrade steps to rotate the CA and each node’s certificate in a rolling fashion for all existing DSE clusters before upgrading to Mission Control version 1.9.0. See the 1.9.0 release notes for details.

Configure certificate duration using the certTemplate field in the MissionControlCluster custom resource definition (CRD). See crd-reference:missioncontrolcluster-v1.9.0.adoc#missioncontrolcluster-spec-encryption-internodeencryption-certs-certtemplate for more information.

Mission Control keeps only the new certificates in the keystore to ensure that all outgoing connections use updated credentials.

During the transition, the truststore maintains both old and new CAs to allow interoperability across nodes using different certificates.

After all nodes begin using the new certificates, Mission Control triggers the rotate internode certificates bulk action to remove the old CA from truststores and keystores.

To configure the expiration of the Mission Control certificate and CA:

  1. Open the MissionControlCluster resource file.

  2. Update the certTemplate field in the spec section:

    ...
spec:
  encryption:
    internodeEncryption:
      certs:
        certTemplate:
          duration: "175200h" # 20 years in hours
          renewBefore: "720h" # Renew 30 days before expiration
...

  3. Update the duration and renewBefore values in the certTemplate spec section as needed. Use the duration field to set the certificate’s lifetime and the renewBefore field to set when renewal should begin before expiration.

  4. Save your changes to the MissionControlCluster CR file.

  5. Apply the changes:

    kubectl apply -f MISSION_CONTROL_CLUSTER.yaml

    Replace MISSION_CONTROL_CLUSTER.yaml with the name of your MissionControlCluster resource file.

  6. Verify that the system created the new certificates:

    kubectl get secrets -n mission-control

  7. Verify that the system created the new Certificate resource:

    kubectl get certificate -n mission-control
    Result 
    NAME                                              READY   SECRET                                                   AGE
mission-control-cass-operator-serving-cert        True    mission-control-cass-operator-webhook-server-cert        452d
mission-control-k8ssandra-operator-serving-cert   True    mission-control-k8ssandra-operator-webhook-server-cert   452d
mission-control-serving-cert                      True    mission-control-webhook-server-cert                      452d
mission-control-ui-cert                           True    mission-control-ui-cert                                  318d

  8. Verify that the system created the new Issuer resource:

    kubectl get issuer -n mission-control
    Result 
    NAME                                                   READY   AGE
mission-control-cass-operator-selfsigned-issuer        True    452d
mission-control-k8ssandra-operator-selfsigned-issuer   True    452d
mission-control-selfsigned-issuer                      True    452d

  9. Verify that the system created the new CertificateRequest resource:

    kubectl get certificaterequest -n mission-control

Recover from certificate expiration

When the certificates expire, Mission Control cannot establish secure communication between the components, and your clusters are unavailable.

To recover from certificate expiration, follow these steps:

  1. Stop the datacenter by setting stopped to true in the MissionControlCluster resource:

    apiVersion: missioncontrol.datastax.com/v1
kind: MissionControlCluster
metadata:
  name: CLUSTER_NAME
  namespace: PROJECT_SLUG
spec:
  k8ssandra:
    cassandra:
      datacenters:
        - name: DATACENTER_NAME
          stopped: true

    Replace the following:

    • CLUSTER_NAME: The namespace of your cluster

    • PROJECT_SLUG: The namespace of your project

    • DATACENTER_NAME: The name of your datacenter

      You can find the project slug in the Mission Control UI breadcrumbs next to the cluster name on the cluster details page.

  2. Apply the changes:

    kubectl apply -f MISSION_CONTROL_CLUSTER.yaml

    Replace MISSION_CONTROL_CLUSTER.yaml with the name of your MissionControlCluster resource file.

  3. Verify that the datacenter is stopped:

    kubectl get pods -n PROJECT_SLUG | grep DATACENTER_NAME

    Replace the following:

    • PROJECT_SLUG: The namespace of your project

    • DATACENTER_NAME: The name of your datacenter.

  4. Delete the certificates for the cluster:

    kubectl delete secret -n mission-control \
  CLUSTER_NAME-DATACENTER_NAME-internode-client-cert \
  CLUSTER_NAME-DATACENTER_NAME-internode-server-cert \
  CLUSTER_NAME-DATACENTER_NAME-c-mgmt \
  CLUSTER_NAME-DATACENTER_NAME-c-mgmt-ks \
  CLUSTER_NAME-DATACENTER_NAME-s-mgmt \
  CLUSTER_NAME-DATACENTER_NAME-s-mgmt-ks \
  CLUSTER_NAME-DATACENTER_NAME-RACK_NAME-NODE_INDEX-inode \
  CLUSTER_NAME-DATACENTER_NAME-RACK_NAME-NODE_INDEX-inode-ks \
  CLUSTER_NAME-DATACENTER_NAME-RACK_NAME-NODE_INDEX-inode \
  CLUSTER_NAME-DATACENTER_NAME-RACK_NAME-NODE_INDEX-inode-ks \
  CLUSTER_NAME-DATACENTER_NAME-RACK_NAME-NODE_INDEX-inode \
  CLUSTER_NAME-DATACENTER_NAME-RACK_NAME-NODE_INDEX-inode-ks \
  CLUSTER_NAME-DATACENTER_NAME-client-cert \
  CLUSTER_NAME-DATACENTER_NAME-management-api-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-client-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-server-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-management-api-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-client-management-api-cert \
  CLUSTER_NAME-DATACENTER_NAME-cql-router-server-management-api-cert

    Replace the following:

    • CLUSTER_NAME: The name of your cluster

    • DATACENTER_NAME: The name of your datacenter

    • RACK_NAME: The name of your rack

    • NODE_INDEX: The index of your node within the rack

  5. Verify that the system deleted the secrets:

    kubectl get secrets -n mission-control

  6. Delete any remaining secrets related to the expired certificates:

    kubectl delete secret SECRET_NAME -n PROJECT_SLUG

    Replace the following:

    • SECRET_NAME: The name of the secret related to the expired certificates

    • PROJECT_SLUG: The name of your project

  7. Delete the Certificate resource:

    kubectl delete certificate -n PROJECT_SLUG cluster-certificate

    Replace PROJECT_SLUG with the namespace of your project.

  8. Verify that the system deleted the Certificate resource:

    kubectl get certificate -n mission-control

  9. Update the MissionControlCluster object to restart the datacenter:

    apiVersion: missioncontrol.datastax.com/v1
kind: MissionControlCluster
metadata:
  name: CLUSTER_NAME
  namespace: PROJECT_SLUG
spec:
    stopped: false

    Replace the following:

    • CLUSTER_NAME: The name of your cluster

    • PROJECT_SLUG: The namespace of your project

  10. Apply the changes:

    kubectl apply -f MISSION_CONTROL_CLUSTER.yaml

    Replace mission-control-cluster.yaml with the name of your MissionControlCluster resource file.

    Applying the update triggers a reconciliation and creates new certificates.

  11. Verify that Mission Control created the new certificates:

    kubectl get secrets -n mission-control

  12. Verify that Mission Control recreated the secrets:

    kubectl describe secret -n mission-control

  13. Verify that the datacenter is running:

    kubectl get pods -n PROJECT_SLUG | grep DATACENTER_NAME

    Replace the following:

    • PROJECT_SLUG: The namespace of your project

    • DATACENTER_NAME: The name of your datacenter

Example: Certificate Template Configuration
spec:
  encryption:
    internodeEncryption:
      certs:
        certTemplate:
          # Set duration to 2 years
          duration: "17520h"  # 2 years in hours
          # Start renewal process 30 days before expiration
          renewBefore: "720h" # 30 days in hours
          # Additional security settings
          keySize: 4096      # RSA key size

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com