This document applies to the customers deploying the OpsRamp NextGen Gateway and the purpose is to enhance secure communication by uploading trusted CA certificates to the gateway and its host operating system.
Overview
In environments that rely on internal or custom Certificate Authorities (CAs), it is essential to upload and configure these certificates on the NextGen Gateway to enable secure communication between the gateway, vProbe, and other infrastructure components.
Uploading custom CA certificates ensures:
- Trusted communication with internal systems and APIs
- Prevention of certificate validation errors
- Enhanced network and data security
This guide outlines the process of preparing, uploading, and updating CA certificates for both the NextGen Gateway and the underlying Ubuntu OS.
Uploading Certificates
Step 1: Save Certificates on All Nodes
- Create a directory to store your certificates:
mkdir -p /root/custom-certs cd /root/custom-certs - Place your
.crtcertificate files in the/root/custom-certs/directory.Note
Ensure the certificate files are present on all nodes in your deployment (especially if you’re using HA or multi-node setups).
Step 2: Upload Certificates to the Ubuntu OS
To ensure the underlying OS trusts the provided certificates:
- Copy the certificates:
sudo cp /root/custom-certs/*.crt /usr/local/share/ - Update the system CA store:
sudo update-ca-certificates
Repeat this step on each node hosting the NextGen Gateway or vProbe.
Step 3: Upload Certificates to the NextGen Gateway (via ConfigMap)
A. Create Kubernetes ConfigMap
- Change to the root directory:
cd /root/ - Create the custom-certs ConfigMap from the local certificate files:
Replacekubectl create configmap custom-certs --from-file=custom-certs -n <namespace><namespace>with Kubernetes namespace where NextGen Gateway is deployed.
B. Update the NextGen Gateway Helm Chart
If the gateway is already registered:
- Run the following command to list the installed Helm chart version:
Replacehelm list -n <namespace><namespace>with your gateways namespace. If you don’t have a custom namespace, usedefault.
Example Output
In this output, the chart version is located under the CHART section. For example, if it saysroot@opsram-gateway:/home/gateway-admin# helm list -n default NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION nextgen-gw default 2 2025-07-09 09:31:41.646878942 +0000 UTC failed nextgen-gw-18.0.5 18.0.5nextgen-gw-18.0.5, the version is18.0.5. - Upgrade the Chart to Mount Custom Certificates
Replacehelm upgrade nextgen-gw oci://us-docker.pkg.dev/opsramp-registry/gateway-cluster-charts/nextgen-gw --version <Chart_version> -n <namespace><Chart_version>with the version you identified (e.g.,18.0.5) and<namespace>with your gateway’s namespace. - If the gateway is not yet registered, please follow the NextGen Gateway Registration Guide before uploading certificates.
Updating Existing Certificates
If you need to replace or update existing certificates in the custom-certs ConfigMap:
- Delete the existing ConfigMap:
kubectl delete configmap custom-certs -n <namespace - Repeat the certificate upload and Helm upgrade steps described above.
Note
Always ensure all gateway and vProbe nodes have access to the latest CA certificates, and the OS trust store is updated accordingly.Summary Checklist
- Certificates saved on all nodes in /root/custom-certs
- Certificates uploaded to
/usr/local/share/on all nodes - update-ca-certificates run on all Ubuntu nodes
- Kubernetes ConfigMap custom-certs created or updated
- Helm chart for gateway upgraded with new certificates
Additional Notes
- If you manage certificates through automation or GitOps, ensure the /root/custom-certs folder is updated programmatically across nodes.
- Avoid manually editing system trust stores unless necessary, use the documented commands.
- If using self-signed certificates, validate the certificate chain and expiry dates beforehand.