Tanzu Kubernetes Grid Integrated Edition (TKGi) | Override Extend Certificate Expiry Expiration

Products

VMware Tanzu Kubernetes Grid

Issue/Introduction

Maintaining robust security within a TKGi (Tanzu Kubernetes Grid Integrated) environment involves adhering to best practices for certificate management.
- A key aspect of this is the periodic rotation of certificates.
- Regular rotation is essential because it mitigates the risk of compromise due to outdates cryptographic standards and reduces the attack surface available to malicious actors.
- Shorter certificate lifecycles ensures that any compromised keys are limited in their potential impact, thereby enhancing security.
However, for administrative purposes, such as managing staggered rotations across multiple environments, there might be scenarios where overriding or extending the expiry of certificates becomes necessary.
This article aims to identify which certificates in a TKGi environment can have their expiration overridden and provides the basic steps to do so, along with references to relevant documentation.
This approach allows administrators to manage certificate rotations more effectively without compromising the security and operational integrity of their systems.

Environment

Tanzu Operations Manager v2.10.19 and later
Tanzu Kubernetes Grid Integrated

Cause

Resolution

Overriding duration for Tanzu Operations Manager and CredHub certificates

Enable the duration override feature and make sure to Apply Changes. The duration can be set to between 1 and 10 years. More information here: Overriding duration for Tanzu Operations Manager and CredHub certificates
After enabling the duration overrides feature, additional steps are required to apply the override to existing certificates or any new certificates generated by CredHub by following the rotation procedure for each certificate. See the additional information section below.
Certificates that are affected by this feature and their default duration:
- Ops Manager CAs and leaf certificates:
  - .properties.nats_client_ca (4 years)
  - .properties.root_ca (4 years)
  - .properties.director_ssl.director (2 years)
  - .system_metrics_certificate (2 years)
  - .properties.uaa_ssl (2 years)
  - .properties.director_agent_ssl (2 years)
  - .properties.credhub_ssl (2 years)
  - .properties.director_metrics_server_certificate (2 years)
  - .properties.director_metrics_server_client_certificate (2 years)
  - .properties.blobstore_certificate.properties(2 years)
  - .nats_server_certificate (2 years)
  - .properties.nats_director_client_certificate (2 years)
  - .properties.nats_health_monitor_client_certificate (2 years)
  - dns_api_server_tls (1 year)
  - dns_api_client_tls (1 year)
  - bosh_dns_health_server_tls (1 year)
  - bosh_dns_health_client_tls (1 year)
- TKGi certificates
  - p-bosh/pivotal-container-service-<guid>/telemetry_forward_tls_2020 (4 years)
  - p-bosh/pivotal-container-service-<guid>/pks_api_internal_2018 (4 years)
  - p-bosh/pivotal-container-service-<guid>/pks_db_client_2020 (4 years)
  - p-bosh/pivotal-container-service-<guid>/mysql_server_certificate_prox (4 years)
  - p-bosh/pivotal-container-service-<guid>/mysql_server_certificate (4 years)
  - p-bosh/pivotal-container-service-<guid>/telemetry_db_client_2020 (4 years)
  - p-bosh/pivotal-container-service-<guid>/galera_server_certificate (4 years)
  - p-bosh/pivotal-container-service-<guid>/kubo_odb_ca_2018 (4 years)
  - p-bosh/pivotal-container-service-<guid>/pxc_server_ca (4 years)
  - p-bosh/pivotal-container-service-<guid>/pxc_galera_ca (4 years)
  - p-bosh/pivotal-container-service-<guid>/uaa_active_pks_saml_key_2018 (4 years)

- Workload cluster certificates
  - p-bosh/service-instance_<guid>/tls-nsx-lb (5 years)
  - p-bosh/service-instance_<guid>/tls-nsx-t (2 years)
  - p-bosh/service-instance_<guid>/tls-etcdctl-root-2018-2 (4 years)
  - p-bosh/service-instance_<guid>/tls-etcdctl-flanneld-2018-2 (4 years)
  - p-bosh/service-instance_<guid>/tls-etcdctl-2018-2 (4 years)
  - p-bosh/service-instance_<guid>/tls-etcd-2018-2 (4 years)
  - p-bosh/service-instance_<guid>/tls-metrics-server-2018 (4 years)
  - p-bosh/service-instance_<guid>/tls-kubelet-client-2018 (4 years)
  - p-bosh/service-instance_<guid>/tls-kubelet-2018 (4 years)
  - p-bosh/service-instance_<guid>/tls-kube-controller-manager-2018 (4 years)
  - p-bosh/service-instance_<guid>/tls-nsx-kube-proxy-2018 (4 years)
  - p-bosh/service-instance_<guid>/tls-ncp-2018 (4 years)
  - p-bosh/service-instance_<guid>/tls-kubernetes-2018 (4 years)
  - p-bosh/service-instance_<guid>/etcd_ca_2018 (4 years)
  - p-bosh/service-instance_<guid>/kubo_ca_2018 (4 years)
  - p-bosh/service-instance_<guid>/kubo_master_ca_2021 (4 years)
- Credhub certificates
  - opsmgr/bosh_dns/tls_ca (4 years)
  - opsmgr/bosh_dns/san_migrated (4 years)

Overriding duration for Configurable certificates

Harbor CA
- .properties.server_cert_key
- Harbor tile > Certificate > Certificate Authority (CA)
- Admin-defined
NSX Manager CA | TKGi
- .properties.network_selector.nsx.nsx-t-ca-cert
- TKGi Tile > Networking > NSX Manager CA Cert
- Admin-defined
NSX Manager CA | BOSH
- .iaas_configuration.nsx_ca_certificate
- BOSH Tile > vCenter Config > NSX CA Cert
- Admin-defined
NSX-T Super User Certificate
- .properties.network_selector.nsx.nsx-t-superuser-certificate
- TKGi Tile > Networking > NSX Manager Super User Principal Identity Certificate
- Configurable through the KB script used to rotate this cert.
TKGI API
- .pivotal-container-service.pks_tls
- TKGi Tile > TKGI API > Certificate to secure the TKGI API
- Admin-defined
- Duration override applies if in the tile Change > Generate RSA Certificate.

Additional Information

Rotation Procedures

Ops Manager CAs and leaf certificates
- Rotating CAs and leaf certificates using the Tanzu Operations Manager API
TKGi certificates
- Tanzu Kubernetes Grid Integrated Edition Certificates
- How to rotate TKGI control plane CA and leaf certificates
Workload cluster certificates
- Rotate Kubernetes Cluster Certificates
Credhub certificates
- Advanced certificate rotation with CredHub Maestro
.properties.network_selector.nsx.nsx-t-superuser-certificate
- How to renew the nsx-t-superuser-certificate used by Principal Identity user

Tanzu Kubernetes Grid Integrated Edition (TKGi) | Override Extend Certificate Expiry Expiration

Article ID: 372408

Updated On:

Products

Issue/Introduction

Environment

Cause

Resolution

Overriding duration for Tanzu Operations Manager and CredHub certificates

Ops Manager CAs and leaf certificates:

TKGi certificates

Workload cluster certificates

Credhub certificates

Overriding duration for Configurable certificates

Harbor CA

NSX Manager CA | TKGi

NSX Manager CA | BOSH

NSX-T Super User Certificate

TKGI API

Additional Information

Rotation Procedures

Ops Manager CAs and leaf certificates

TKGi certificates

Workload cluster certificates

Credhub certificates

.properties.network_selector.nsx.nsx-t-superuser-certificate

Feedback