In the event of a security compromise and the customer needs to replace all SSL certificates, the customer must connect to the Kubernetes cluster and manually perform a rotation of the certificates used internally to the cluster.
VCF Automation 9.0
VMSP system TLS certificates are compromised
1. Obtain the Kubeconfig from one of the following 3 options
/etc/kubernetes/admin.conf
/var/lib/vrlcm/fetch-kubeconfig.py <lcm host> <admin_pass> <linux_root_pass> <env_id>
- the environment ID is listed in the URL of the application in the LCM window
2. Delete VCF cluster CA backup secrets
3. Delete platform CA, vcf-cluster-ca-secret secret
4. Reissuing of all certificates
Watch Kubernetes Certificate Requests to ensure that all certificates were re-generated.
You can monitor the progress with the following command
5. Restarting the Platform
To ensure that all applications use the newly generated certificates we need to restart the platform.
This could be done via LCM UI by triggering Power OFF, Power ON functionality.