This KB is written for advising on the following vSphere Supervisor certificates which are not included in the renewal performed by the certmgr script:

• /etc/vmware/wcp/tls/authproxy-client.crt
• /etc/vmware/wcp/tls/pinniped.crt
• /etc/vmware/wcp/tls/vip.crt
• /var/etcdmgr/signer/crt/wcp_node_bootstrapper

Certificates that are renewed by the certmgr script can be found by running the following certmgr script command while SSH into the VCSA:

• Retrieve the Supervisor cluster ID:

  • ./certmgr supervisors

• View all certificates on the chosen Supervisor cluster ID, replacing "domain-c#:########-####-####-####-#############" with the desired Supervisor cluster's ID from above:

  • ./certmgr certificates list -c domain-c#:########-####-####-####-#############

A list of vSphere Supervisor certificates can be found while directly SSH into a Supervisor control plane VM and performing the following find command:

• find / -type f \( -name "*.cert" -o -name "*.crt" \) -print 2>/dev/null | egrep -iv 'ca.crt$|ca-bundle.crt$|kubelet\/pods|var\/lib\/containerd|run\/containerd|backup' | xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'

vSphere Supervisor Certificates can be renewed through the certmgr script provided in KB: Replace vSphere with Tanzu Supervisor Certificates

However, this certmgr script does not renew the authproxy-client, pinniped, vip and wcp_node_bootstrapper certificates:

• The /etc/vmware/wcp/tls/vip.crt also known as the Workload Platform Management certificate can be renewed through the steps in KB: Replace the Self-Signed vip.crt
  
  
• /etc/vmware/wcp/tls/authproxy-client.crt and /etc/vmware/wcp/tls/pinniped.crt are managed and automatically renewed by the cert-manager controller in the Supervisor cluster.
  • It is currently not supported to use custom certificates for these certificates.
    
    
• /var/etcdmgr/signer/crt/wcp_node_bootstrapper is only used on initial creation of a Supervisor cluster and does not need to be renewed.

All certificates are automatically renewed upon successful Supervisor cluster upgrade.

A list of vSphere Supervisor certificates can be found while directly SSH into a Supervisor control plane VM and performing the following find command:

• find / -type f \( -name "*.cert" -o -name "*.crt" \) -print 2>/dev/null | egrep -iv 'ca.crt$|ca-bundle.crt$|kubelet\/pods|var\/lib\/containerd|run\/containerd|backup' | xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'

Supervisor Certificates can be renewed through the certmgr script provided in the following KB:

• Replace vSphere with Tanzu Supervisor Certificates
• However, this certmgr script does not renew the authproxy-client, pinniped, vip and wcp_node_bootstrapper certificates.