Install a Custom Signed Certificate

When you first log in to the NetQ UI via an on-premises deployment, your browser will display a warning indicating that the default certificate is not trusted. You can avoid this warning by installing your own signed certificate using the steps outlined on this page. The self-signed certificate is sufficient for non-production environments or cloud deployments.

If you already have a certificate installed and want to change or update it, run the kubectl delete secret netq-gui-ingress-tls [name] --namespace default command.

You need the following items to perform the certificate installation:

  • A valid X509 certificate, containing a Subject Alternative Name (SAN) attribute.

  • A private key file for the certificate.

  • A DNS record name configured to access the NetQ UI.

    The FQDN should match the common name of the certificate. If you use a wild card in the common name — for example, if the common name of the certificate is * — then the NetQ telemetry server should reside on a subdomain of that domain, accessible via a URL like

  • A functioning and healthy NetQ instance.

    You can verify this by running the netq show opta-health command.

Install a Certificate using the NetQ CLI

  1. Log in to the NetQ VM via SSH and copy your certificate and key file there.

  2. Generate a Kubernetes secret called netq-gui-ingress-tls:

    cumulus@netq-ts:~$ kubectl create secret tls netq-gui-ingress-tls \
        --namespace default \
        --key <name of your key file>.key \
        --cert <name of your cert file>.crt
  3. Verify that you created the secret successfully:

    cumulus@netq-ts:~$ kubectl get secret
    NAME                               TYPE                                  DATA   AGE
    netq-gui-ingress-tls                          2      5s
  4. Update the ingress rule file to install self-signed certificates.

    1. Create a new file called ingress.yaml.

    2. Copy and add the following content to the file:

    kind: Ingress
      annotations: "true" "HTTPS" "3600" "3600" "3600" 10g "off"
      name: netq-gui-ingress-external
      namespace: default
      ingressClassName: ingress-nginx-class
      - host: <your-hostname>
          - path: /
            pathType: Prefix
                name: netq-gui
                  number: 80
            path: /
            pathType: Prefix
      - hosts:
        - <your-hostname>
        secretName: netq-gui-ingress-tls
    1. Replace <your-hostname> with the FQDN of the NetQ VM.

  5. Apply the new rule:

    cumulus@netq-ts:~$ kubectl apply -f ingress.yaml
    ingress.extensions/netq-gui-ingress-external configured

    The message above appears if your ingress rule is successfully configured.

  6. Configure the NetQ API to use the new certificate.

    Edit the netq-swagger-ingress-external service:

    kubectl edit ingress netq-swagger-ingress-external

    Add the tls: section in the spec: stanza, referencing your configured hostname and the netq-gui-ingress-tls secretName:

    - host: <hostname>
      - backend:
        serviceName: swagger-ui
        servicePort: 8080
        path: /swagger(/|$)(.*)
    - hosts:
      - <hostname>
      secretName: netq-gui-ingress-tls

    After saving your changes, delete the current swagger-ui pod to restart the service:

    cumulus@netq-ts:~$ kubectl delete pod -l app=swagger-ui
    pod "swagger-ui-deploy-69cfff7b45-cj6r6" deleted

Your custom certificate should now be working. Verify this by opening the NetQ UI at https://<your-hostname-or-ipaddr> in your browser.