Maintain a secure connection with Compass

After you have established a secure connection with Compass, you can fetch the configuration details and renew the client certificate before it expires. To renew the client certificate, follow the steps in this tutorial.



  1. Get the CSR information with the configuration details.

    To fetch the configuration, make a call to the Certificate-Secured Connector URL using the client certificate. The Certificate-Secured Connector URL is the certificateSecuredConnectorURL obtained when establishing a secure connection with Compass. Send this query with the call:

    Click to copy
    query {
    result: configuration {
    certificateSigningRequestInfo {
    managementPlaneInfo {

    A successful call returns the requested configuration details.

  2. Generate a key and a Certificate Signing Request (CSR).

    Generate a CSR with this command using the certificate subject data obtained with the CSR information:

    Click to copy
    export KEY_LENGTH=4096
    openssl genrsa -out compass-app.key $KEY_LENGTH
    openssl req -new -sha256 -out compass-app.csr -key compass-app.key -subj "{SUBJECT}"

    NOTE: The key length is configurable, however, 4096 is the recommended value.

  3. Sign the CSR and renew the client certificate.

    Encode the obtained CSR with base64:

    Click to copy
    openssl base64 -in compass-app.csr

    Send the following GraphQL mutation with the encoded CSR to the Certificate-Secured Connector URL:

    Click to copy
    mutation {
    result: signCertificateSigningRequest(csr: "{BASE64_ENCODED_CSR}") {

    The response contains a renewed client certificate signed by the Kyma Certificate Authority (CA), certificate chain, and the CA certificate.

  4. Decode the certificate chain.

    The returned certificates and the certificate chain are base64-encoded and need to be decoded before use. To decode the certificate chain, run:

    Click to copy
    base64 -d {CERTIFICATE_CHAIN}

NOTE: See how to revoke a client certificate.