"Workload Platform Management" certificates are automatically renewed.
search cancel

"Workload Platform Management" certificates are automatically renewed.

book

Article ID: 436432

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Symptoms:

  • When navigating to Cluster > Configure tab > Supervisor Cluster > Certificate in the vSphere Client, you may notice that the "Workload Platform Management" certificate has been automatically renewed.

    Note: In vSphere 8.0 and later, the "Workload Platform Management" certificates can be viewed at the following location:

    Menu > Workload Management > Select a Supervisor from the left pane > Configure tab > Certificates

  • In /var/log/vmware/wcp/wcpsvc.log on the vCenter Server, entries similar to the following may be observed:
    YYYY-MM-DDTHH:mm:SS.SSS info wcp [kubelifecycle/certificates.go:###] Automatically reissuing TLS endpoint certificate for domain-c#####
    YYYY-MM-DDTHH:mm:SS.SSS debug wcp [kubelifecycle/certificates.go:###] deleteExpiredRequests: Deleting CSRs created before YYYY-MM-DDTHH:mm:SS.SSS +0000 UTC
    YYYY-MM-DDTHH:mm:SS.SSS debug wcp [kubelifecycle/certificates.go:###] deleteExpiredRequests: Done deleting CSRs

Environment

VMware vCenter Server 7.0 U3

vSphere with Tanzu 7.0

Resolution

This is expected behavior. The "Workload Platform Management" certificate is automatically renewed when the following conditions are met:

  • The certificate has exceeded 50% of its validity period. (By default, this occurs after 6 months.)
  • The certificate is signed by the VMware Certificate Authority (VMCA).

Note: VMCA is the internal certificate authority of vCenter Server. Typically, after a Supervisor cluster is deployed, the "Workload Platform Management" certificate is issued as a VMCA-signed certificate.

Powered by Wolken Software