WCP specific certificates | |||
Cert Path | Signed By | Used for | Cert Lifetime |
/etc/vmware/wcp/tls/vip.crt | VMCA/Custom | TLS certificate served by the nginx proxy running in front of each CP VM on the workload network | 1 Year / Custom |
/etc/vmware/wcp/tls/mgmt.crt | K8s CA | TLS certificate served by the nginx proxy running in front of each CP VM on the management network | 1 Year |
/etc/vmware/wcp/tls/ncp/lb-default.cert | VMCA/Custom | Certificate applied to Service IP's built on the Ingress network in NSX-T | 1 Year / Custom |
/etc/vmware/wcp/tls/wcpusr.cert | VMCA | Client certificate for VC solution user for WCP | 2 Years* |
/etc/vmware/wcp/tls/schedext.cert | self-signed | TLS certificate served by schedext | 2 Years |
/etc/vmware/wcp/tls/authproxy.crt | K8s CA | TLS certificate served by authproxy | 2 Years |
/etc/vmware/wcp/tls/docker-reg.crt | K8s CA | TLS certificate served by the internal docker registry | 2 Years |
/etc/vmware/wcp/tls/wcpagent.cert | VMCA | Was: TLS certificate for docker registry and authproxy. No long in use after 7.0 U1 |
Kubernetes internal certificates | |||
Cert Path | Signed By | Used for | Cert Lifetime |
/var/lib/kubelet/pki/kubelet.crt | K8s CA | Currently not used. Kubelet serves "content" to metrics servers | 1 Year |
/etc/kubernetes/pki/scheduler.crt | K8s CA | Used to authenticate with the scheduler pod | 1 Year |
/etc/kubernetes/pki/apiserver.crt | K8s CA | Used to authenticate with K8s API server | 1 Year |
/etc/kubernetes/pki/apiserver-etcd-client.crt | K8s CA | Used by API server to authenticate with ETCD | 1 Year |
/etc/kubernetes/pki/apiserver-kubelet-client.crt | K8s CA | Used by API server to authenticate with kubelet | 1 Year |
/etc/kubernetes/pki/front-proxy-client.crt | K8s CA | 1 Year | |
/etc/kubernetes/pki/etcd/server.crt | K8s CA | Cert used for ETCD Server authentication | 1 Year |
/etc/kubernetes/pki/etcd/peer.crt | K8s CA | Cert used for ETCD Peer server authentication | 1 Year |
/etc/kubernetes/pki/etcd/healthcheck-client.crt | K8s CA | 1 Year | |
/etc/kubernetes/pki/bootstrapper.crt | K8s CA | Used for initial cluster bootstrap and customization | n/a |
/etc/kubernetes/pki/front-proxy-ca.crt | K8s CA | K8s Front Proxy certificate authority | 10 Year |
/etc/kubernetes/pki/etcd/ca.crt | K8s CA | K8s ETCD certificate authority | 10 Year |
/etc/kubernetes/pki/ca.crt | K8s CA | K8s Cluster certificate authority | 10 Year |
Cert Path | Cert Lifetime |
/etc/vmware/spherelet/spherelet.crt | 1 Year |
/etc/vmware/spherelet/client.crt | 1 Year |
TKGS Guest Cluster Control Plane VMs | |
Cert Path | Cert Lifetime |
/var/lib/kubelet/pki/kubelet.crt | 1 Year |
/etc/kubernetes/pki/apiserver.crt | 1 Year |
/etc/kubernetes/pki/apiserver-etcd-client.crt | 1 Year |
/etc/kubernetes/pki/etcd/server.crt | 1 Year |
/etc/kubernetes/pki/etcd/peer.crt | 1 Year |
/etc/kubernetes/pki/etcd/healthcheck-client.crt | 1 Year |
/etc/kubernetes/pki/front-proxy-client.crt | 1 Year |
/etc/ssl/certs/extensions-tls.crt | 10 Year |
TKGS Guest Cluster Worker Node VMs | |
Cert Path | Expiration Date |
/var/lib/kubelet/pki/kubelet.crt | 1 Year |
/etc/ssl/certs/extensions-tls.crt | 10 Year |
TKGS Guest Cluster Certificates can be rotated by upgrading the cluster. If they have expired then you can follow this kb to rotate them https://kb.vmware.com/s/article/95425