As a vSphere administrator, you can replace the certificate for the virtual IP address (VIP) to securely connect to the Supervisor API endpoint with a certificate signed by a CA that your hosts already trust. The certificate authenticates the Kubernetes control plane to DevOps engineers, both during login and subsequent interactions with the Supervisor.


Verify that you have access to a CA that can sign CSRs. For DevOps engineers, the CA must be installed on their system as a trusted root.

For more information about the Supervisor certificate, see Supervisor CA Certificate.


  1. In the vSphere Client, navigate to Workload Management.
  2. Select Supervisors and the select the Supervisor from the list.
  3. Click Configure and select Certificates.
  4. In the Workload Management Platform pane, select Actions > Generate CSR.
    Figure 1. Replacing Supervisor default certificate

    The Configure certificates tab displays the default certificates.
  5. Provide the details for the certificate.
    Note: If you use an identity provider service, you must also include the entire certificate chain. The chain is not required for standard HTTPS traffic, however.
  6. Once the CSR is generated, click Copy.
  7. Sign the certificate with a CA.
  8. From the Workload Platform Management pane, select Actions > Replace Certificate.
  9. Upload the signed certificate file and click Replace Certificate.
  10. Validate the certificate on the IP address of the Kubernetes control plane.
    For example, you can open the Kubernetes CLI Tools for vSphere download page and confirm that the certificate is replaced successfully by using the browser. On a Linux or Unix system you can also use echo | openssl s_client -connect https://ip:6443.