Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Updating TLS Certificates for Virtru CKS (Helm / Kubernetes)

  • Updated

Overview

This guide provides step-by-step instructions to update the TLS certificate for the Virtru Customer Key Server deployed via Helm in a Kubernetes environment.

You will:

  • Generate a new certificate (using a new or existing private key)
  • Validate the certificate
  • Update the Kubernetes TLS secret
  • Apply the change to your deployment

Prerequisites

Before starting, ensure you have:

  • Access to your Linux CKS server
  • Access to Kubernetes (kubectl)
  • An existing Helm deployment of CKS
  • A new certificate issued by your Certificate Authority (CA)

Step 1: Generate or Reuse Private Key (Linux Server)

Follow the instructions in the Virtru documentation:

https://support.virtru.com/hc/en-us/articles/360050781633-Virtru-Private-Keystore-for-Virtru-Solutions-Reference-Upgrade-SSL-certs-for-CKS

Complete Steps 1–4 from that guide.

This process will:

  • Generate a new private key or reuse the existing private key
  • Generate a Certificate Signing Request (CSR)

Submit the CSR to your Certificate Authority (e.g., DigiCert, GoDaddy).

Step 2: Prepare Certificate Files

Once your certificate is issued, ensure you have:

  • fullchain.pem (certificate + intermediate chain)
  • privkey.pem (private key)

If your key and cert might be named differently (e.g., cks.example.com.key, cks.example.com.crt)

Step 3: Transfer Files (If Needed)

If working from a local machine or separate environment, ensure the following files are accessible where you will run kubectl:

  • fullchain.pem
  • privkey.pem

Step 4: Update Kubernetes TLS Secret

⚠️ The namespace must exist before creating or updating the secret.

Follow the instructions here: https://support.virtru.com/hc/en-us/articles/39133356895383-Kubernetes-TLS-Secret

  • Update the values.yaml:
tls:
  - secretName: cks-tls-secret
    hosts:
      - fqdn.yourdomain.com
  • Delete the existing secret:
kubectl delete secret cks-tls-secret -n virtru
  • Create the new TLS secret:
kubectl create secret tls cks-tls-secret \
  --cert=/full/path/to/fullchain.pem \
  --key=/full/path/to/privkey.pem \
  -n virtru

Step 5: Restart Deployment (If Needed)

In most cases, the ingress will pick up the new certificate automatically.

Apply changes:

helm upgrade --install cks . -n virtru -f values.yaml --create-namespace --wait

Restart the deployment:

kubectl rollout restart deployment cks -n virtru

Step 6: Verify Certificate

verify the secret exist

kubectl get secret cks-tls-secret -n virtru

Check ingress configuration

kubectl get ingress -n virtru
kubectl describe ingress -n virtru

Test endpoint

curl https://cks.example.com/status

Or open in a browser:

https://cks.example.com/status

Confirm:

  • The certificate is updated
  • No browser warnings are present

Step 7: Validate Functionality

After updating the certificate:

  • Send a test encrypted email
  • Confirm decryption works as expected
  • Verify there are no TLS or connectivity errors

Related articles