This page documents AlloyDB Omni version 17.7.0 using the container orchestrator deployment option. Choose a different deployment option .

Manually rotate internal certificates

Select a documentation version:

By default, the AlloyDB Omni Kubernetes operator uses cert-manager to provision a set of TLS certificates for each database cluster. In addition to the database server certificate, the operator creates certificates for control plane components to secure internal connections.

While cert-manager automates certificate renewals based on the duration and renewBefore fields of a Certificate object, you might need to manually trigger a certificate rotation in the following scenarios:

A private key is compromised.
A CA certificate is rotated. According to cert-manager documentation, when a CA certificate associated with an issuer is rotated, the leaf certificates aren't automatically re-issued.
cert-manager automatic re-issuance fails. Although rare, if automatic re-issuance doesn't trigger due to specific conditions described in the cert-manager FAQ , you must trigger a manual rotation.

Before you begin

Ensure you have kubectl configured to access your Kubernetes cluster.
Ensure that cert-manager is running on your Kubernetes cluster.

Manual certificate rotation

To manually trigger certificate rotation, delete the secret associated with the cert-manager Certificate object. The cert-manager controller reconciles the object and re-issues the certificate, which creates a new secret. Workloads associated with the AlloyDB Omni operator automatically reload their TLS configurations to use the new certificate.

Identify the cert-manager Certificate that you want to rotate. These objects are in your DBCluster namespace and the namespace where the AlloyDB Omni operator is installed. The names of CA certificates have the prefix dbs-al-ca , while leaf certificates have the prefix dbs-al-cert . In the remaining steps, use the name of the associated secret from the output.
```
 kubectl  
get  
certificate  
 CERTIFICATE_NAME 
  
-n  
 NAMESPACE 
  
-o  
wide 
```

Before you trigger rotation, back up the certificate secret:

 kubectl  
get  
secret  
 SECRET_NAME 
  
-n  
 NAMESPACE 
  
-o  
yaml > 
 SECRET_NAME 
- NAMESPACE 
.yaml.bak

Delete the certificate secret:

 kubectl  
delete  
secret  
 SECRET_NAME 
  
-n  
 NAMESPACE

Wait for cert-manager to recreate the certificate secret:

 kubectl  
get  
secret  
 SECRET_NAME 
  
-n  
 NAMESPACE 
  
-w

Verify certificate rotation

After you manually rotate the certificates, verify that the new certificates are in use:

Check the certificate secret. The creationTimestamp value must reflect the time after you manually rotated the certificate:
```
 kubectl  
get  
secret  
 SECRET_NAME 
  
-n  
 NAMESPACE 
  
-o  
yaml 
```
Examine the Certificate status. Verify that the notBefore and notAfter dates in the status section are correct:
```
 kubectl  
describe  
certificate  
 CERTIFICATE_NAME 
  
-n  
 NAMESPACE 
 
```

What's next

Manage certificates .

Manually rotate internal certificates Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Manual certificate rotation

Verify certificate rotation

What's next

Manually rotate internal certificates