This topic describes how to list and rotate TLS certificates for Kubernetes clusters provisioned by Tanzu Kubernetes Grid Integrated Edition.
About NSX-T Certificate Rotation for Kubernetes Clusters Provisioned by TKGI
You can use the TKGI CLI to rotate the certificates for the NSX-T load balancer and the certificate for the NSX-T Principal Identity for the NSX Manager for the specified Kubernetes cluster provisioned by TKGI. To rotate other cluster certificates using the TKGI CLI, see Rotate Kubernetes Cluster Certificates.
WARNING: During NSX-T TLS certificate rotation, the system will update the Principal Identity certificate to access the NSX Manager API (for the specified TKGI cluster instance). The rotation process will impact network related operations (for the specified TKGI cluster instance), but there should be no impact for existing cluster workloads.
List TLS Certificates Created for NSX-T
To list the TLS certificates created for a TKGI-provisioned Kubernetes cluster, run the following command:
tkgi certificates <ClusterName> -d <number of days>
For example:
tkgi certificates tkgi-cluster-01 -d 10000
The sample output lists all TLS certificates that TKGI uses for the specified cluster. The certificates named tls-nsx-lb and tls-nsx-t are used for NSX-T.
NAME Type Days Left Valid until
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-lb Leaf 1803 2025-12-14T06:47:46Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-kube-proxy-2018 Leaf 1439 2024-12-15T06:47:41Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-ncp-2018 Leaf 1439 2024-12-15T06:47:41Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-t Leaf 708 2022-12-15T06:47:40Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kube-controller-manager-2018 Leaf 1439 2024-12-15T06:47:40Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-metrics-server-2018 Leaf 1439 2024-12-15T06:47:39Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-flanneld-2018-2 Leaf 1439 2024-12-15T06:47:39Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-root-2018-2 Leaf 1439 2024-12-15T06:47:38Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-2018-2 Leaf 1439 2024-12-15T06:47:37Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcd-2018-2 Leaf 1439 2024-12-15T06:47:36Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubelet-client-2018 Leaf 1439 2024-12-15T06:47:36Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubelet-2018 Leaf 1439 2024-12-15T06:47:35Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/etcd_ca_2018 Root 1439 2024-12-15T06:47:35Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubernetes-2018 Leaf 1439 2024-12-15T06:47:34Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/kubo_ca_2018 Root 1439 2024-12-15T06:47:34Z
Rotate the TLS Certificates for NSX-T
To rotate the TLS certificates for NSX-T:
-
Run the following command:
tkgi rotate-certs | rotate-certificates <ClusterName> [flags]Flags:
--all Rotate all certs, not implemented yet, will be available in future releases. -h, --help help for rotate-certs --json Return the PKS-API output as json --non-interactive Don't ask for user input --only-nsx Rotate the tls-nsx-lb and tls-nsx-t certificates. --wait Wait for the operation to finishFor example:
tkgi rotate-certs tkgi-cluster-01 –only-nsx
You are about to rotate nsx related certificates for cluster tkgi-cluster-01. This operation requires bosh deployment, and will take a significant time. Are you sure you want to continue? (y/n):
-
If running
tkgi rotate-certsfails to rotate the certificates, you must manually rotate the certificates. To manually rotate certificates, see How to rotate Tanzu Kubernetes Grid Integrated Edition tls-nsx-t cluster certificate in the VMware Tanzu Knowledge Base.
For more information, see Rotate Kubernetes Cluster Certificates.
