This topic describes how to rotate certificates used only by the Tanzu Kubernetes Grid Integrated Edition (TKGI) control plane and tile.
This topic covers rotating TKGI control plane certificates only. For more information about TKGI Certificates:
Warning: If you use the TKGI Management Console to manage TKGI on vSphere with NSX‑T, you must use the Management Console to rotate the NSX Manager CA Certificate. To manage your NSX Manager CA Certificate using the TKGI Management Console, see Which Options Can I Reconfigure? in Reconfigure Your Tanzu Kubernetes Grid Integrated Edition Deployment.
TKGI control plane certificates, and their leaf certificates, are automatically generated by TKGI during installation:
pxc_server_ca
pxc_galera_ca
uaa_active_pks_saml_key_2018
kubo_odb_ca_2018
Control plane certificates have a default expiration period of four years.
To rotate TKGI control plane certificates, first determine which certificates are due to expire and then rotate them:
The procedures below can be used to rotate TKGI control plane certificates, certificates for TKGI communication with underlying Ops Manager and BOSH infrastructure, and certificates for components such as database, CredHub, UAA, and Telemetry.
Warning: Never use the CredHub Maestro maestro regenerate ca/leaf –all
command to rotate TKGI certificates.
Before rotating your certificates, verify which certificates require rotation.
To check certificate expiration dates, see Check Expiration Dates and Certificate Types in the Ops Manager documentation.
TKGI control plane and tile certificates are configurable and non-configurable certificates stored in CredHub. For an explanation of configurable, non-configurable, and other certificate types, see Certificate Types in the Ops Manager documentation.
Rotate configurable and non-configurable certificates as follows:
Rotate configurable certificates in the tile interface by entering new values and redeploying the tile.
pks_tls
cert is configured in the TKGI tile > TKGI API pane.nsx-t-superuser-certificate
nsx-t-ca-cert
Non-configurable certificates rotate automatically with selected tile upgrades. Most of these certificates have four- or five-year expiry periods, so users do not ordinarily need to rotate them.