Updating TLS/SSL certificates#

You can replace the self-signed certificates Data Science & AI Workbench generates during installation at any time.

Preparing for the update#

Anaconda recommends that you gather the following information and files before you proceed. If you are using the admin console, place your files in a location where you can view them to copy their contents into the applicable fields within the UI. If you are updating your certificates using the command line, you’ll need to copy your files to the server.

Most installations will need the following items:
  • The fully qualified domain name (FQDN) of the server

  • The public SSL certificate for the domain: tls.crt

  • The private SSL key for the domain: tls.key

  • If applicable, the intermediate certificate bundle: intermediate.pem

  • If your certificate was issued by a private root CA, the public certificate for that CA: rootca.crt

If you are using LetsEncrypt, your filenames will be different:
  • The public SSL certificate for the domain: cert.pem

  • The private SSL key for the domain: privkey.pem

  • The intermediate certificate bundle: chain.pem

  • No root CA file is needed in this case.

If you are using a different domain and/or SSL certificate for the session/deployment subdomains, you also need:
  • The wildcard subdomain FQDN

  • The public SSL certificate for the wildcard subdomain: wildcard.crt

  • The private SSL key for the wildcard subdomain: wildcard.key

Note

  • Workbench assumes that the intermediate certificate and root CA (if applicable) are identical for both certificates.

  • Workbench version 5.6+ automatically applies the updated SSL certificates to all running sessions and deployments.

Updating SSL certificates#

You can update your TLS/SSL certificates using the Workbench administrator console.

  1. Log in to Workbench as an administrator.

  2. Open the My Account dropdown menu and select Admin Console.

  3. Select Web Certificates from the left-hand menu.

  4. Enter your certificate and key information from the files you gathered during preparation into the appropriate fields. Make sure to paste the content of each file into the appropriate box, not the filenames.

    • Domain name: The server FQDN

    • SSL Certificate: tls.crt / cert.pem

    • SSL Private Key: tls.key / privkey.pem

    • Root Certificate: rootca.crt if applicable

    • Intermediate Certificate: intermediate.pem / chain.pem if applicable

    • Wildcard Domain: The subdomain FQDN if applicable; the server FQDN again if not. Do not include an asterisk.

    • Wildcard Certificate: wildcard.crt if applicable; tls.crt / cert.pem if not.

    • Wildcard Private Key: wildcard.key if applicable; tls.key / privkey.pem if not.

  5. Click Save to update the platform with your changes.

  6. If your root CA has changed, restart the Workbench system pods to ensure the pods that use this certificate pick up the new copy by running the following command:

    # Replace <NAMESPACE> with your Workbench cluster namespace
    kubectl delete -n <NAMESPACE> --wait=false $(kubectl get pods -o name|grep ap-)
    

Note

If you use the Workbench CLI, you must configure the certificates there as well.