This topic describes how to list and rotate TLS certificates for Kubernetes clusters provisioned by VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

About NSX Certificate Rotation for Kubernetes Clusters Provisioned by TKGI

You can use the TKGI CLI to rotate the certificates for the NSX load balancer and the certificate for the NSX Principal Identity for the NSX Manager for the specified Kubernetes cluster provisioned by TKGI. To rotate other cluster certificates using the TKGI CLI, see Rotate Kubernetes Cluster Certificates.

WARNING: During NSX TLS certificate rotation, the system will update the Principal Identity certificate to access the NSX Manager API (for the specified TKGI cluster instance). The rotation process will impact network related operations (for the specified TKGI cluster instance), but will not impact existing cluster workloads.

List TLS Certificates Created for NSX

To list the TLS certificates created for a TKGI-provisioned Kubernetes cluster:

  1. Run the following:

    tkgi certificates CLUSTER-NAME -d EXPIRATION-WINDOW


    • CLUSTER-NAME is the name of your cluster.
    • EXPIRATION-WINDOW is the expiration range for the listed certificates. The listed certificates will expire within the designated number of days.

    The returned list of certificates includes TLS certificates used by TKGI for the specified cluster and the certificates named tls-nsx-lb and tls-nsx-t, which are used for NSX.

    For example:

    tkgi certificates tkgi-cluster-01 -d 10000
    NAME                                                                                            Type  Days Left  Valid until  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-lb                        Leaf  1803       2025-12-14T06:47:46Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-kube-proxy-2018           Leaf  1439       2024-12-15T06:47:41Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-ncp-2018                      Leaf  1439       2024-12-15T06:47:41Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-t                         Leaf  708        2022-12-15T06:47:40Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kube-controller-manager-2018  Leaf  1439       2024-12-15T06:47:40Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-metrics-server-2018           Leaf  1439       2024-12-15T06:47:39Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-flanneld-2018-2       Leaf  1439       2024-12-15T06:47:39Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-root-2018-2           Leaf  1439       2024-12-15T06:47:38Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-2018-2                Leaf  1439       2024-12-15T06:47:37Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcd-2018-2                   Leaf  1439       2024-12-15T06:47:36Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubelet-client-2018           Leaf  1439       2024-12-15T06:47:36Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubelet-2018                  Leaf  1439       2024-12-15T06:47:35Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/etcd_ca_2018                      Root  1439       2024-12-15T06:47:35Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubernetes-2018               Leaf  1439       2024-12-15T06:47:34Z  
    /p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/kubo_ca_2018                      Root  1439       2024-12-15T06:47:34Z  

Rotate the TLS Certificates for NSX

To rotate the TLS certificates for NSX:

  1. To skip SSL verification during the certificate rotation, you must first deactivate SSL verification on the TKGI tile. For more information, see the Disable SSL certification verification configuration instructions in Networking.

  2. Run the following:

    tkgi rotate-certs | rotate-certificates CLUSTER-NAME [flags]

    Where CLUSTER-NAME is the name of your cluster.


          --all               Rotate all certs, not implemented yet, will be available in future releases.
      -h, --help              help for rotate-certs
          --json              Return the PKS-API output as json
          --non-interactive   Don't ask for user input
          --only-nsx          Rotate the tls-nsx-lb and tls-nsx-t certificates.
          --wait              Wait for the operation to finish

    For example:

    tkgi rotate-certs tkgi-cluster-01 --only-nsx
    You are about to rotate nsx related certificates for cluster tkgi-cluster-01. This operation requires bosh deployment, and will take a significant time. Are you sure you want to continue? (y/n):

    WARNING: Rotate cluster certificates only on a TKGI cluster that has been upgraded to the current TKGI version. For more information, see Tasks Supported Following a TKGI Control Plane Upgrade in About Tanzu Kubernetes Grid Integrated Edition Upgrades.

  3. If running tkgi rotate-certs fails to rotate the certificates, you must manually rotate the certificates. To manually rotate certificates, see How to rotate Tanzu Kubernetes Grid Integrated Edition tls-nsx-t cluster certificate in the VMware Tanzu Knowledge Base.

For more information, see Rotate Kubernetes Cluster Certificates.

check-circle-line exclamation-circle-line close-line
Scroll to top icon