This topic describes how to rotate certificates used only by the VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) control plane and tile.

This topic covers rotating TKGI control plane certificates only. For more information about TKGI Certificates:

• For conceptual information about certificates in TKGI, see TKGI Certificates.
• To rotate the certificates used by TKGI-deployed Kubernetes clusters, see Rotating Cluster Certificates.

Warning: If you use the TKGI Management Console to manage TKGI on vSphere with NSX, you must use the Management Console to rotate the NSX Manager CA Certificate. To manage your NSX Manager CA Certificate using the TKGI Management Console, see Which Options Can I Reconfigure? in Reconfigure Your Tanzu Kubernetes Grid Integrated Edition Deployment.

Overview

TKGI control plane certificates, and their leaf certificates, are automatically generated by TKGI during installation:

• pxc_server_ca
• pxc_galera_ca
• uaa_active_pks_saml_key_2018
• kubo_odb_ca_2018

Control plane certificates have a default expiration period of four years.

To rotate TKGI control plane certificates, first determine which certificates are due to expire and then rotate them:

• Check Certificate Expiration Dates
• Rotate TKGI Control Plane Certificates

The procedures below can be used to rotate TKGI control plane certificates, certificates for TKGI communication with underlying Ops Manager and BOSH infrastructure, and certificates for components such as database, CredHub, UAA, and Telemetry.

Warning: Never use the CredHub Maestro maestro regenerate ca/leaf –all command to rotate TKGI certificates.

Check Certificate Expiration Dates

Before rotating your certificates, verify which certificates require rotation.

To check certificate expiration dates, see Check Expiration Dates and Certificate Types in the Ops Manager documentation.

Rotate TKGI Control Plane Certificates

TKGI control plane and tile certificates are configurable and non-configurable certificates stored in CredHub. For an explanation of configurable, non-configurable, and other certificate types, see Certificate Types in the Ops Manager documentation.

Rotate configurable and non-configurable certificates as follows:

• Rotate configurable certificates in the tile interface by entering new values and redeploying the tile.

  • All infrastructures: The pks_tls cert is configured in the TKGI tile > TKGI API pane.
  • vSphere with NSX: After rotating the following two configurable certificates, you must also re-register them with the NSX Manager. For instructions, see Rotate the Principal Identity Certificate and Key in Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key:
    • NSX Manager Super User Principal Identity Certificate, nsx-t-superuser-certificate
    • NSX Manager CA Cert, nsx-t-ca-cert

• Non-configurable certificates rotate automatically with selected tile upgrades. Most of these certificates have four- or five-year expiry periods, so users do not ordinarily need to rotate them.

  • To rotate Non-configurable certificates, use the Rotate Control Plane Certificates Tool. For more information, see How to rotate TKGI control plane CA and leaf certificates in the VMware Tanzu Knowledge Base.