Skip to content

Replace the service certificate

Geoff Baskwill edited this page Aug 6, 2019 · 4 revisions

The default Deep Security Smart Check install creates a self-signed TLS certificate for example.com. This certificate is re-generated every time you upgrade Deep Security Smart Check or perform an update using helm upgrade, so users may get into the habit of accepting insecure communications and may get annoyed with having to click through certificate warnings.

You should replace this certificate with your own certificate with the correct host / address information, issued by a trusted certificate authority to improve security and usability for your users.

Note: You will also need to replace the default certificate if you want to enable pre-registry scanning.

  1. Obtain a certificate from a trusted certificate authority. There will be two associated files: a certificate and a private key. If the certificate authority also provides a file with intermediate certificates, create a composite file that combines the certificates into a chain:

    cat certificate.pem intermediates.pem > chain.pem
  2. Create a Kubernetes TLS secret with your certificate and key:

    kubectl create secret tls dssc-proxy-certificate \
      --namespace default \
      --cert=path/to/chain.pem \
      --key=path/to/key.pem

    The secret must exist in the same namespace as the service. If you have installed Deep Security Smart Check in a namespace other than default, modify the command to use the correct namespace.

  3. Include the name of the certificate secret in your overrides.yaml file:

    certificate:
      secret:
        name: dssc-proxy-certificate
        certificate: tls.crt
        privateKey: tls.key
  4. Update the service:

    helm upgrade \
      --values overrides.yaml \
      deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz

    If you are using a specific version of Deep Security Smart Check, use the version number in the command, for example to use version 1.2.0 the command would be:

    helm upgrade \
      --values overrides.yaml \
      deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/1.2.0.tar.gz
  5. Restart the proxy pod:

    kubectl delete pods \
      --namespace default \
      -l "service=proxy,release=deepsecurity-smartcheck"

    Kubernetes will automatically restart the proxy pod.

Once the proxy pod has restarted, you should see that the service is using the new certificate.

Revert to the auto-generated certificate

If you need to undo the procedure described above, you can revert to the auto-generated certificate by following these steps:

  1. Delete the certificate secret name override from your overrides.yaml file.

  2. Update the service:

    helm upgrade \
      --values overrides.yaml \
      deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz
  3. Restart the proxy pod:

    kubectl delete pods \
      --namespace default \
      -l "service-proxy,release=deepsecurity-smartcheck"

    Kubernetes will automatically restart the proxy pod.

Once the proxy pod has restarted, you should see that the service is using an auto-generated certificate.

How to use Amazon Certificate Manager certificates with Deep Security Smart Check

If you are running Deep Security Smart Check in Amazon EKS and are using a load balancer (the default), you can use a certificate from AWS Certificate Manager.

Add the following to your overrides.yaml file:

service:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:[region]:[account-id]:certificate/[certificate-id]

where the value is the ARN of the certificate you want to use and run a helm upgrade to apply the new overrides.

You can’t perform that action at this time.