Contact us
ArticlesAscender

Update SSL Certificates for Ascender

ascenderkubernetessslcertificates

Stephen Simpson
Senior Customer Support Engineer

Apr 02, 2025

Introduction

This document outlines how to update the SSL certificate for an existing Ascender installation. This guide will provide you with two options to update the certificate. It assumes that you have a valid and working Ascender installation. The recommended method for installation is the ascender-install script from the CIQ repository. The first certificate update method uses the Ascender installation scripts.

Obtaining SSL certificates for your environment is outside the scope of this article, and you will need to have them issued before proceeding. The Common Name (CN) field in the certificate must match the URL you have chosen for Ascender. Your certificate and private key must be in PEM format, with the certificate stored in a .crt (or .cer) file and the private key stored in a separate .key file.

Problem

Depending on your certificate provider, you will need to update the SSL certificate for your Ascender install every 90 days to 1 year if you are using a domain validated certificate.

Resolution

When updating your certificate, you can choose to rerun the setup script or manually update the secret within kubernetes.

Rerun the setup script

When you install Ascender using the ascender-install scripts provided by CIQ, a custom.config.yml file is generated that contains the variables used to perform your initial install. Modify the following variables within this file:

  • kube_install: Configure this as false, as you already have a kubernetes cluster on which Ascender is running.
  • download_kubeconfig: Modify this to false, as you already have a valid KUBECONFIG file to authenticate to your existing Ascender instance.
  • tls_crt_path: Change this, if necessary, to the location of your certificate.
  • tls_key_path: Edit this if required, to the place where you stored your private key.

Now, rerun the setup.sh script and the new certificate will be installed.

Modify the kubernetes secret

To manually deploy the certificate within Kubernetes, you need to create a new secret manifest. Specifically, we will modify the ascender-tls-secret file. First, we need to base64 encode our certificate and private key:

ASCENDER_CERT=$(base64 -w0 /path/to/crt)
ASCENDER_KEY=$(base64 -w0 /path/to/key)

Next, we will create a new manifest using this information:

cat <<EOF > ascender_tls.yml
apiVersion: v1
kind: Secret
metadata:
  name: ascender-tls-secret
  namespace: ascender
type: kubernetes.io/tls
data:
  tls.crt: ${ASCENDER_CERT}
  tls.key: ${ASCENDER_KEY}
EOF

You can apply this by running the following:

kubectl apply -f ascender_tls.yml

After a few seconds, your new certificate will be applied. You can verify your new certificate, by running the following:

echo | openssl s_client -connect your-ascender-hostname:443 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName -dates

References & related articles

CIQ Ascender
Ascender Install Scripts and Documentation
Ascender Feature Overview
Ascender Installation Video