Prepare prerequisites for updating installer-generated certificates with your own public or enterprise certificates.
Overview
There are two approaches for BYOC certificate management:
|
BYOC Approach |
Description |
Recommended for |
|---|---|---|
|
Approach 1: Replace external certificates only |
Replace the external (user-facing) certificate with your enterprise PKI or public CA certificate, while keeping internal server/client certificates, admin client certificates, and SAML signing certificate generated by the installer. |
Most production deployments. |
|
Approach 2: Replace all certificate material |
Replace the external certificate and replace internal server/client certificates, admin client certificates, and SAML signing certificate using your enterprise PKI / organization process. |
Production only if required by policy (higher operational overhead). |
Note: External TLS is typically terminated at the frontend HAProxy (or an external load balancer, if deployed in front of HAProxy), depending on your topology.
Secrets Manager Keystore: The Secrets Manager (SM) service uses a dedicated keystore to generate and protect platform key material. For Proof of Concepts, you may use the installer-generated alias values. For production, you must regenerate these aliases so they are unique to your environment and do not rely on defaults.
For Single-Node Installations:
Single-node installations consider the Single Node to be both Frontend and Backend. All listed prerequisites and steps should be applied to the single node server.
System Prerequisites
Before updating or replacing certificates, ensure you have the following prepared.
Directory Path References:
There are two referenced directory locations in these instructions:
-
installer_dir: the location where the unzipped install files reside, including all installation scripts and supporting files. -
agilesec_install_dir: the location where AgileSec is installed to.
Administrative Access (all nodes)
Administrative access to all node servers, including
-
Permission to read/write under
$INSTALLER_DIR/certificates. -
sudo permissions to run scripts such as
./scripts/tune.sh -
Ability to restart services after certificate changes (for example, using
./scripts/manage.sh) and access to logs for troubleshooting.
Java keytool (all nodes)
Ensure Java keytool is available on all nodes for inspecting keystores (.p12) and for generating sm-service keystore. If keytool is not already available on the node, extract it to $INSTALLER_DIR/tmp from the bundled JRE archive:
# Set environment variable to installer files location
INSTALLER_DIR=<path-to-installer-dir>
# Extract java keytool to the correct location
mkdir -p $INSTALLER_DIR/tmp
tar -xzf \
$INSTALLER_DIR/apps/openlogic-openjdk-jre-*17.0.14+7*-linux-x64.tar.gz \
-C $INSTALLER_DIR/tmp
export \
JAVA_PATH=$INSTALLER_DIR/tmp/openlogic-openjdk-jre-17.0.14+7-linux-x64
After extraction, keytool will be available under: $INSTALLER_DIR/tmp/openlogic-openjdk-jre-17.0.14+7-linux-x64/bin/keytool.
Note: Additional, specific guidelines for each certificate type are covered in their individual updating steps.
Configuration Decisions
Ensure stakeholders confirm the following configuration items prior to certificate management. Ensure your configuration file multi_node_config.conf aligns with these decisions when generating .env for AgileSec installation.
The following configuration parameters must align between BYOC materials and install configuration (or vice versa). Update multi_node_config.conf as needed and generate .env to match your organization’s certificate requirements prior to installation.
For Single-Node Installations:
Update single_node_config.conf instead of multi_node_config.conf.
Approach 1: Replace external certificates only
|
Description |
|
Default |
Applicable Certificates |
|---|---|---|---|
|
Root CA Validity |
|
|
Root CA |
|
Other Certificate Validity |
|
|
All BYOC Certificates |
|
Platform External FQDN The primary external facing FQDN for the platform. |
|
|
External (User-Facing) Certificates |
|
Server Certificate Common Name (CN) and Filenames Prefix If you override this default, ensure the replacement certificates are valid for your organization’s operational and renewal requirements. |
|
|
External (User-Facing) Certificates, Internal Server Certificates |
Approach 2: Replace all certificate material
Note: rootca_cert_expiry_days and cert_expiry_days are not relevant to Approach 2 as the installer-generated CA and other certificates will be completely replaced.
|
Description |
|
Default |
Applicable Certificates |
|---|---|---|---|
|
Platform External FQDN Primary external facing FQDN for the platform |
|
|
External (User-Facing) Certificates |
|
Internal Domain Internal domain used for node-to-node communication. |
|
|
All internal certificates: Internal Server Certificates, mTLS Client Certificates, Admin Client Certificates, SAML IdP Signing Certificate, Secrets Manager Keystore |
|
Server Certificates base Subject Distinguished Name (DN) Set this value before installation so the expected subjects match your environment. |
|
|
SAML IdP Signing Certificate, Secrets Manager Keystore |
|
Client Certificates base Subject Distinguished Name (DN) Set this value before installation so the expected subjects match your environment. |
|
|
mTLS Client Certificates |
|
Server Certificate Common Name (CN) and Filenames Prefix If you override this default, ensure the replacement certificates are valid for your organization’s operational and renewal requirements. |
|
|
External (User-Facing) Certificates, Internal Server Certificates |
|
Client Certificates Common Name (CN) and Filenames Prefix If you override this default, ensure the replacement certificates are valid for your organization’s operational and renewal requirements. |
|
|
mTLS Client Certificates |
|
Client Certificate BYOC Model See details below for choosing and setting the correct Client Certificate BYOC Model. |
|
|
mTLS and Admin Client Certificates |
|
Server Certificate BYOC Model Do NOT override this value. Using individual server certificates is not currently supported. |
|
(Do not override this default.) |
Internal Server Certificates |
Choose Client Certificate BYOC Model
There are two BYOC models for mTLS and Admin Client Certificates. The model is determined by the configuration variable use_single_client_cert, which defaults to true.
Model 1: Single Shared Client Certificate (installer default)
Set use_single_client_cert=true to use one client certificate shared by all services:
-
A single shared client certificate is used by all platform services for mTLS client authentication.
-
A single admin client certificate is used for administrative authentication to both MongoDB and OpenSearch.
-
This approach mirrors installer behavior, but certificates will be issued by your enterprise PKI.
Model 2: Per-Service Client Certificates
Set use_single_client_cert=false for stronger isolation and independent rotation:
-
Use separate client certificates per service for mTLS client authentication.
-
Use separate client certificates for administrative authentication to both MongoDB and OpenSearch.
-
Enables independent rotation of a single service credential without impacting others.
Set use_single_client_cert according to the model you wish to use for mTLS and Admin Client Certificates.
Secrets Manager (SM) Keystore Aliases
For Proof of Concepts, you may use the installer-generated alias values. For production, you must regenerate these aliases so they are unique to your environment and do not rely on defaults.
Recommendation: Regenerate these aliases even for POCs to align with production practices and avoid accidental reuse across environments.
See BYOC: Update Secrets Manager Keystore.
|
SM Alias |
|
Default Installer-Generated Example |
Regeneration Instructions |
|---|---|---|---|
|
Symmetric AES-256 CMK (SecretKeyEntry) Alias
|
|
|
|
|
Asymmetric NIST P-384 key pair (PrivateKeyEntry) Alias |
|
|
|