vSphere TLS Thumbprint is included in the vspherecluster custom resource and should also be updated in the workload cluster.


  1. SSH to the management cluster control plane virtual IP with the user name capv.
  2. List all the vSphere clusters including the management cluster.
    kubectl get vsphereclusters -A NAMESPACE NAME AGE default tkg-test-workload 62d default tkg-wld 83d tkg-system tkg-mgmt-cluster 83d
  3. Edit each of the vSphere clusters using the following command and update the spec.thumbprint field with the correct thumbprint.
    kubectl edit vsphereclusters tkg-test-workload
  4. Verify if the update is completed using the following command:
    kubectl get vsphereclusters tkg-test-workload -o yaml
    For management clusters, add the tkg-system namespace to the kubectl commands:
    kubectl edit vsphereclusters -n tkg-system tkg-mgmt-cluster