How to revert to the default ingress certificate after replacing it with a custom certificate in Red Hat OpenShift Container Plattform 4?

Solution Verified - Updated 28 Jan 2026

Environment

Red Hat OpenShift Container Plattform (RHOCP) 4.x

Issue

How to revert to the default ingress certificate after the configuration of a custom certificate to the default ingress?

Resolution

The default ingress certificate will be resent inside the secretrouter-certs-default inside openshift-ingress namespace.
When a custom certificate is configured for the ingress following the doc This page is not included, but the link has been rewritten to point to the nearest parent document.Replacing the default ingress certificate, the name of the secret would be as per what is mentioned during the secret creation that will contain the certificate chain and private key.

For reverting to the default ingress certificate can follow the below steps:

Take the backup of the current secret that contains the custom cert and key and delete the same:

# oc get secret <secret_name> -oyaml -n openshift-ingress >> certbackup.yaml

# oc delete secret <secret_name> -n openshift-ingress

Take backup and edit ingress operator:

# oc get --namespace=openshift-ingress-operator ingresscontroller/default -oyaml >> ingress.yaml

# oc edit ingresscontroller.operator default -n openshift-ingress-operator

And remove the spec:
'{"spec":{"defaultCertificate": {"name": "secret_name"}}}'

Before editing:

----------SNIP-----------
Spec:
  Default Certificate:
    Name:    secret_name
  Replicas:  2
---------SNIP------------

After Editing:

-------SNIP-------------
Spec:
  Replicas:  2
Status:
------SNIP---------------

Instead of manually editing, the default ingress controller can be patched to remove the spec as:

# oc patch -n openshift-ingress-operator ingresscontrollers/default --type json -p $'- op: remove\n  path: /spec/defaultCertificate'

Finally, delete the default router pods inside the openshift-ingress project:

# oc delete po --all -n openshift-ingress

Check the pod and CO status:

# oc get po -n openshift-ingress 
# oc get co

Verify that the default secretrouter-certs-default which contains the default ingress certificate and the key is present inside openshift-ingress namespace:

# oc get secret -n openshift-ingress | grep router-certs

Finally, try to access the routes to confirm that they are working.

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.