Tanzu Kubernetes Grid Integrated Edition Certificates

Page last updated:

This topic summarizes Tanzu Kubernetes Grid Integrated Edition (TKGI) certificates and how to rotate them.

Overview of TKGI Certificates

TKGI secures all communication between TKGI control plane components and TKGI-managed Kubernetes clusters using Transport Layer Security (TLS) validated by RSA Certificate Authority (CA) certificates and leaf certificates that they issue:

  • TKGI Control Plane Certificates

    TKGI control plane certificates secure TKGI control plane component communication with the TKGI API server and TKGI DB server.

  • TKGI User-Configurable Certificates

    TKGI user-configurable TKGI certificates must be configured by TKGI administrators.

  • BOSH Certificates used by TKGI

    The BOSH certificates used by TKGI, are generated by BOSH.

  • TKGI-Provisioned Kubernetes Cluster Certificates

    The TKGI-Provisioned Kubernetes Cluster certificates, and their leaf certificates, used by Kubernetes clusters are unique to each Kubernetes cluster and are automatically generated by TKGI. TKGI manages the life-cycle of the per-cluster CA and the certificates it signs.

    • NSX-T-Only TKGI Kubernetes Cluster Certificates

      NSX-T-only TKGI Kubernetes cluster certificates must be registered with NSX Manager.


The certificates used by TKGI automatically expire and must be rotated. For more information, see Check Certificate Expiration Dates and Rotating Certificates below.

For more information about certificates, see Certificate Types in the Ops Manager documentation.

Check Certificate Expiration Dates

Before rotating TKGI certificates you should determine which certificates are approaching expiration.

To review certificate expiration dates:

  • Review certificate expiration dates using Ops Manager. To see certificate expiration dates, open the Ops Manager and select the Certificates tab.
  • Use CredHub to export the certificate expiration dates for the TKGI deployment or one or more clusters. For more information, see How to get the expiry dates of all CA’s & certificates in the PKS deployment and clusters in the VMware Tanzu Knowledge Base.
  • Use the TKGI CLI to export the certificate expiration dates for Kubernetes cluster certificates. For more information, see List TLS Certificates in Rotate Kubernetes Cluster Certificates.

Rotating Certificates

VMware that TKGI administrators occasionally verify the expiration dates of their TKGI certificates, and when needed, rotate expiring certificates. See Check Certificate Expiration Dates above to review your TKGI certificate expiration dates.

Warning: Never use the CredHub Maestro maestro regenerate ca/leaf --all command to rotate TKGI certificates.

The following summarizes the rotation requirements for the certificates used in TKGI environments:

  • TKGI Control Plane Certificates

    Certificate Default Expiration Rotation Description
    pxc_server_ca
    and leaf certificates
    Four years See Rotate TKGI Control Plane Certificates or How to rotate TKGI control plane CA and leaf certificates in the VMware Tanzu Knowledge Base.
    pxc_galera_ca
    and leaf certificates
    uaa_active_pks_saml_key_2018
    and leaf certificates
    kubo_odb_ca_2018
    and leaf certificates
  • TKGI User-Configurable TKGI Certificates

    Certificate Default Expiration Rotation Description
    pks_tls Admin-defined Open the TKGI API tab on the TKGI tile.

    The TKGI API Service certificate is used to secure access to the TKGI API endpoint.
    nsx-t-superuser-certificate Admin-defined See Rotate the Principal Identity Certificate and Key in Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key or How to renew the nsx-t-superuser-certificate used by Principal Identity user in the VMware Tanzu Knowledge Base.

    The NSX-T SuperUser certificate is used to secure access to the NSX-T manager.
  • BOSH Certificates used by TKGI

    Certificate Default Expiration Rotation Description
    bosh_dns_health_client_tls One year See How to rotate bosh-dns certificates in TKGI 1.9+ using maestro in the VMware Tanzu Knowledge Base.
    bosh_dns_health_server_tls
    dns_api_client_tls
    dns_api_server_tls


    To extend the default expiration period, see Overriding Duration for Certificates in the Ops Manager documentation.

  • TKGI Kubernetes Cluster Certificates

    Certificate and leaf certificates Default Expiration Rotation Description
    kubo_master_ca_2021

    and leaf certificates:
    tls-kubernetes-2018,
    tls-ncp-2018 (with NSX-T),
    tls-nsx-kube-proxy-2018 (with NSX-T)
    Four years See Rotate Kubernetes Cluster Certificates.
    kubo_ca_2018

    and leaf certificates:
    tls-kubelet-2018,
    tls-metrics-server-2018,
    tls-kubelet-client-2018,
    tls-kube-controller-manager-2018
    etcd_ca_2018

    and leaf certificates:
    tls-etcd-2018-2,
    tls-etcdctl-2018-2,
    tls-etcdctl-root-2018-2,
    tls-etcdctl-flanneld-2018-2
    • NSX-T-Only TKGI Kubernetes Cluster Certificates

      Certificate Default Expiration Rotation Description
      tls-nsx-t Two years See Rotate NSX-T Certificates Only in Rotate Kubernetes Cluster Certificates.
      The NSX-T only certificates must be registered with NSX Manager.
      tls-nsx-lb Five years

Please send any feedback you have to pks-feedback@pivotal.io.