Updating the Apigee SSL Ceritificates for *.api.ucsb.edu is not incredibly straight forward, and these steps are (sometimes) specific to the Student Affairs environment.
Once a year, a reminder notice should come from InCommon/Cert Manager informing us that the certificates will expire within a month. At that time these steps can be take to renew/recreate the SSL certificates and apply them to the Apigee proxy/load balancers.
- Use the top section of the script found within source control (link) to generate .csr files for the requests.
The Powershell script indicates what folder the .csr files will be generated into. You will need to have the Student Affairs Powershell modules installed to run the script (link).
Send an email to the person who is going to sign-off/approve the creation of the certificates in order to give them a heads up that the request is coming (usually Joe Sabado).
Using ServiceNow (https://ucsb.service-now.com/global), send the .csr to ETS/OCIO using the SSL Certificate Request option.
DepartmentHead Jose Sabado (aka. Joe Sabado) TechnicalContactEmail api-team at developer.ucsb.edu CertificateSigningRequest Comments
Be sure to include the URL in the Comments section. The email that the Department Head receives doesn't make it very clear which certificate is being requested. If the Comments fields contains the URL, then it's easier for the Department Head to find.
The Department Head will approve the request and Service Now will complete processing; at which point the Technical Contact Email above will receive an email from Cert Manager which contains multiple download links for the CA-signed/partially completed certificate.
Download the file from the Email (use PKCS#7 (not PEM encoded)). The files should be downloaded into the same folder that the .csr file was generated into. The file should have a .p7b file extension.
Use the Powershell script to accept the .p7b file and finalize the certificate creation, and then generate a .pfx file with a password.
In a browser, navigate to apigee.com/edge > Admin > Environments > TLS Keystores > (dev)
In the Apigee page, create a new Keystore for each environment with year appended to it.
In the keystore add an alias for the certificate, use the url as the alias/name. Do not append the year to this one, it should be the same name for each environments keystore.
There will be a PFX file option.
- Finally, in Apigee, head to the Virtual Hosts page and and update the environment specific secure-api Virtual Hosts to use the new Keystore.
(verify the new certificate is being used in a browser with this url: https://dev.api.ucsb.edu/notreal)