This article provides information regarding the pxc_tls_ca and pxc_tls_server certificates. 

The pxc_tls_ca and pxc_tls_server certificates are specifically associated with MySQL for VMware Tanzu High Availability (HA) service instances only and have a validity duration of 1 year. Depending on the MySQL for VMware Tanzu version you are on, these certs may serve different purposes and may have different recommendations for rotating.

MySQL for VMware Tanzu v2.5 and v2.6

The pxc_tls_ca and pxc_tls_server certs are used for securing replication traffic between the MySQL for VMware Tanzu nodes.

MySQL for VMware Tanzu v2.7

The  pxc_tls_ca and pxc_tls_server certs are only used for the upgrade from v2.6. They are still referenced and created in service instance manifests for backwards compatibility reasons, though they are not used.

When upgrading to MySQL for VMware Tanzu 2.7, two new pxc certs are introduced for securing replication traffic between the MySQL for VMware Tanzu nodes. These certs are pxc_internal_ca and pxc_internal_server and they are have a validity duration of 5 year.

MySQL for VMware Tanzu v2.8

When upgrading to MySQL for VMware Tanzu 2.8, the legacy pxc_tls_ca and pxc_tls_server certs will be removed and the new certs pxc_internal_ca and pxc_internal_server will remain.

Prerequisites for Rotating these Certificates

If you have MySQL for VMware Tanzu 2.5 or MySQL for VMware Tanzu 2.6, it is recommended to upgrade the MySQL for VMware Tanzu tile one minor version at a time, until reaching the most current MySQL for VMware Tanzu version because these certificates are rotated as part of that tile upgrade. For example, go from v2.5.x > v2.6.x > v2.7.x.

If you have MySQL for VMware Tanzu 2.7, it is okay to let the pxc_tls_ca and pxc_tls_server certs expire as they are not used.

Note: However, if you find that you need to rotate these certs manually, please contact Tanzu Support.