This document guides user to update airgap server CA certificate of a management cluster manually. Cluster operations, such as creating workload clusters, scaling in/out control plane or node pools, can recover after updating the cluster with new airgap server CA certificate.


Airgap server is updated with new self-signed certificate or private root CA signed certificate.


If airgap server is updated with public signed certificate, updating existing cluster or following the steps in this guide is not required.


  1. Login to TCA CP appliance via SSH with admin account and enter root mode.
  2. Get Resources.
    1. Find the management cluster id via CCLI.
      # ccli list mc
      | INDEX | NAME             | CONTEXT          | ID                                   | CONNECTIVITY | SELECTED |
      | 0     | ipv4-airgap-mgmt | ipv4-airgap-mgmt | 97bad1f2-bbed-4019-b226-b211f50bb3f4 | true         |          |
      | 1     | ipv4-mgmt        | ipv4-mgmt        | b8e55039-63f8-447c-93c3-b86bf26c8412 | true         |          |
      # ccli go 0

      In the following examples, "ipv4-airgap-mgmt" cluster is used, with id "97bad1f2-bbed-4019-b226-b211f50bb3f4".

    2. Locate management cluster kubeconfig file and create alias of management cluster kubectl command.

      The management cluster kubeconfig file is located at /opt/vmware/k8s-bootstrapper/<cluster id>/kubeconfig.

      # alias mk="kubectl --kubeconfig /opt/vmware/k8s-bootstrapper/97bad1f2-bbed-4019-b226-b211f50bb3f4/kubeconfig"
  3. Update tkgcontext of management cluster.
    1. Get cluster tkgcontext id via CCLI.

      In the output of ccli show spec command, tkgID is the tkgcontext id.

      # ccli show spec
      tkgID: 38561a18-3ea9-402f-9568-dca4889a6b11
      id: 97bad1f2-bbed-4019-b226-b211f50bb3f4
      clusterName: ipv4-airgap-mgmt
      kubernetesVersion: v1.22.9+vmware.1
    2. Save, edit and update tkgcontext.
      1. Get tkgcontext json configuration file via curl command and save it to a file.

      2. Modify the file and update its airgap/caCert field with ca file base64 encoding string. If no caCert field, create it in json format. Add vsphere/password field with vc password as value.

      3. Modify tkgcontext via curl command and saved json file.

      4. Delete the json file for security consideration.

      # curl -X GET http://localhost:8888/api/v1/tkgcontext/38561a18-3ea9-402f-9568-dca4889a6b11 | python -m json.tool > tkgcontext.json
      # vi tkgcontext.json # update vc password and caCert
          "id": "38561a18-3ea9-402f-9568-dca4889a6b11",
          "ipFamilies": "IPv4",
          "infrastructure": {
              "type": "vsphere",
              "version": "7.0.3"
          "vsphere": {
              "password": "<my vc password>"
          "airgap": {
              "fqdn": "",
              "caCert": "<update it with new ca.crt base64 string"
      # curl -X PUT http://localhost:8888/api/v1/tkgcontext/38561a18-3ea9-402f-9568-dca4889a6b11 -d "`cat tkgcontext.json`"
  4. Follow these guides to update CA certificate for different management cluster.