Upload CA Certificates to NextGen Gateway

This document applies to the customers deploying the OpsRamp NextGen Gateway and the purpose is to enhance secure communication by uploading trusted CA certificates to the gateway and its host operating system.

Overview

In environments that rely on internal or custom Certificate Authorities (CAs), it is essential to upload and configure these certificates on the NextGen Gateway to enable secure communication between the gateway, vProbe, and other infrastructure components.

Uploading custom CA certificates ensures:

Trusted communication with internal systems and APIs
Prevention of certificate validation errors
Enhanced network and data security

This guide outlines the process of preparing, uploading, and updating CA certificates for both the NextGen Gateway and the underlying Ubuntu OS.

Uploading Certificates

Step 1: Save Certificates on All Nodes

Create a directory to store your certificates:

mkdir -p /root/custom-certs 
cd /root/custom-certs

Place your .crt certificate files in the /root/custom-certs/ directory.
Note
Ensure the certificate files are present on all nodes in your deployment (especially if you’re using HA or multi-node setups).

Step 2: Upload Certificates to the Ubuntu OS

To ensure the underlying OS trusts the provided certificates:

Copy the certificates:

sudo cp /root/custom-certs/*.crt /usr/local/share/

Update the system CA store:
```
sudo update-ca-certificates 
```

Repeat this step on each node hosting the NextGen Gateway or vProbe.

Step 3: Upload Certificates to the NextGen Gateway (via ConfigMap)

A. Create Kubernetes ConfigMap

Change to the root directory:
```
cd /root/ 
```
Create the custom-certs ConfigMap from the local certificate files:
```
kubectl create configmap custom-certs --from-file=custom-certs -n <namespace> 
```
Replace <namespace> with Kubernetes namespace where NextGen Gateway is deployed.

B. Update the NextGen Gateway Helm Chart

If the gateway is already registered:

Run the following command to list the installed Helm chart version:
```
helm list -n <namespace>
```
Replace <namespace> with your gateways namespace. If you don’t have a custom namespace, use default.

Example Output
```
root@opsram-gateway:/home/gateway-admin# helm list -n default
NAME      	NAMESPACE	REVISION	UPDATED                                	STATUS  	CHART            	APP VERSION
nextgen-gw	default  	2       	2025-07-09 09:31:41.646878942 +0000 UTC	failed  	nextgen-gw-18.0.5	18.0.5
```
In this output, the chart version is located under the CHART section. For example, if it says nextgen-gw-18.0.5, the version is 18.0.5.
Upgrade the Chart to Mount Custom Certificates
```
helm upgrade nextgen-gw oci://us-docker.pkg.dev/opsramp-registry/gateway-cluster-charts/nextgen-gw --version <Chart_version> -n <namespace> 
```
Replace <Chart_version> with the version you identified (e.g., 18.0.5) and <namespace> with your gateway’s namespace.
If the gateway is not yet registered, please follow the NextGen Gateway Registration Guide before uploading certificates.

Updating Existing Certificates

If you need to replace or update existing certificates in the custom-certs ConfigMap:

Delete the existing ConfigMap:

kubectl delete configmap custom-certs -n <namespace

Repeat the certificate upload and Helm upgrade steps described above.

Note

Always ensure all gateway and vProbe nodes have access to the latest CA certificates, and the OS trust store is updated accordingly.

Summary Checklist

Certificates saved on all nodes in /root/custom-certs
Certificates uploaded to /usr/local/share/ on all nodes
update-ca-certificates run on all Ubuntu nodes
Kubernetes ConfigMap custom-certs created or updated
Helm chart for gateway upgraded with new certificates

Additional Notes

If you manage certificates through automation or GitOps, ensure the /root/custom-certs folder is updated programmatically across nodes.
Avoid manually editing system trust stores unless necessary, use the documented commands.
If using self-signed certificates, validate the certificate chain and expiry dates beforehand.