Tanzu Kubernetes Grid Integrated Edition Certificates

Page last updated:

This topic summarizes Tanzu Kubernetes Grid Integrated Edition (TKGI) certificates and how to rotate them.

Overview of TKGI Certificates

TKGI secures all communication between TKGI control plane components and TKGI-managed Kubernetes clusters with RSA Certificate Authority (CA) certificates and leaf certificates that they issue:

  • Non-configurable certificates rotate automatically with selected TKGI tile upgrades.
  • Configurable certificates must be periodically checked for expiration dates and rotated.

All TKGI control plane and tile certificates are stored in CredHub.

For more information, see Certificate Types in the Ops Manager documentation.

Rotating Certificates

TKGI certificates fall into different types based on where they are used, and how you check expirations and rotate them.

With NSX-T networking, TKGI uses additional certs that you must register with the NSX Manager after rotation.

The following table lists these types and their check and rotation procedures:

Used By Configurable? How to Rotate
TKGI Control Plane N* Rotate TKGI Control Plane Certificates
TKGI Control Plane (NSX-T) Y Rotating the Certificate and Key in Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key
TKGI Control Plane and Clusters, Shared N* Rotate Shared Cluster Certificates
Unique to Cluster Y Rotate Cluster-Specific Certificates
Rotate Cluster-Specific NSX-T Certificates

*Non-configurable certificates rotate with tile upgrade and do not ordinarily require manual rotation.


Please send any feedback you have to pks-feedback@pivotal.io.