Rotating Tanzu Kubernetes Grid Integrated Edition Control Plane Certificates

Page last updated:

This topic describes how to rotate certificates used only by the Tanzu Kubernetes Grid Integrated Edition (TKGI) control plane and tile. These include certificates for TKGI components such as database, CredHub, UAA, and Telemetry, as well as for communication with underlying Ops Manager and BOSH infrastructure.

This topic covers TKGI control plane only. For certificates used by the TKGI control plane to communicate with TKGI-deployed clusters, see Rotate Shared Cluster Certificates in Rotating Cluster Certificates. For certificates used by TKGI-deployed Kubernetes clusters, see Rotating Cluster Certificates.

Check Certificate Expiration Dates

Before rotating your certificates, verify which certificates require rotation.

To check certificate expiration dates, see Check Expiration Dates and Certificate Types in the Ops Manager documentation.

Rotate TKGI Control Plane Certificates

TKGI control plane and tile certificates are configurable and non-configurable certificates stored in CredHub. For an explanation of configurable, non-configurable, and other certificate types, see Certificate Types in the Ops Manager documentation.

Rotate configurable and non-configurable certificates as follows:

  • Rotate configurable certificates in the tile interface by entering new values and redeploying the tile.

    • All infrastructures: The pks_tls cert is configured in the TKGI tile > TKGI API pane.
    • vSphere with NSX-T: After rotating the following two configurable certificates, you must also re-register them with the NSX Manager. For instructions, see Rotating the Certificate and Key in Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key:
      • NSX Manager Super User Principal Identity Certificate, nsx-t-superuser-certificate
      • NSX Manager CA Cert, nsx-t-ca-cert
  • Non-configurable certificates rotate automatically with selected tile upgrades. Most of these certificates have four- or five-year expiry periods, so users do not ordinarily need to rotate them. If rotation is needed, contact Support.


Please send any feedback you have to pks-feedback@pivotal.io.