Certificate renewal


Are the following steps to renew a private CA certificate (GeoTrust) for Rancher HA (v2.2.3) correct?

  1. Load balancer (Nginx): replace certificate with the new one

  2. Rancher cluster:
    kubectl -n cattle-system delete secret tls-rancher-ingress
    kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=tls.crt --key=tls.key (tls.crt is chained)

  3. For every K8s cluster

  • Upload and replace the certificate in Rancher UI used in projects with the new one
  • Rotate certificate for all services