-
Notifications
You must be signed in to change notification settings - Fork 68
/
Copy pathcertificate-concepts.html.md.erb
207 lines (172 loc) · 9.07 KB
/
certificate-concepts.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
---
title: Tanzu Kubernetes Grid Integrated Edition Certificates
owner: TKGI
---
This topic summarizes Tanzu Kubernetes Grid Integrated Edition (TKGI) certificates
and how to rotate them.
<br>
<br>
## <a id="overview"></a>Overview of TKGI Certificates
TKGI secures all communication between TKGI control plane components and TKGI-managed Kubernetes clusters
using Transport Layer Security (TLS) validated by RSA Certificate Authority (CA) certificates and leaf certificates that they issue:
* **TKGI Control Plane Certificates**
TKGI control plane certificates secure TKGI control plane component communication
with the TKGI API server and TKGI DB server.
* **TKGI User-Configurable Certificates**
TKGI user-configurable TKGI certificates must be configured by TKGI administrators.
* **BOSH Certificates used by TKGI**
The BOSH certificates used by TKGI, are generated by BOSH.
* **TKGI-Provisioned Kubernetes Cluster Certificates**
The TKGI-Provisioned Kubernetes Cluster certificates, and their leaf certificates, used by Kubernetes clusters
are unique to each Kubernetes cluster and are automatically generated by TKGI.
TKGI manages the life-cycle of the per-cluster CA and the certificates it signs.
* **NSX-Only TKGI Kubernetes Cluster Certificates**
NSX-only TKGI Kubernetes cluster certificates must be registered with NSX Manager.
<p class="note warning"><strong> Important:</strong> To keep TKGI running, you need to monitor expiration dates and rotate all of the above certificate types, including BOSH certificates that are not created by TKGI.</p>
<br>
The certificates used by TKGI automatically expire and must be rotated.
For more information, see
[Check Certificate Expiration Dates](#check-expiration) and [Rotating Certificates](#rotate) below.
For more information about certificates, see [Certificate Types](https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-operations-manager/3-0/tanzu-ops-manager/security-pcf-infrastructure/certificate-types.html)
in the Ops Manager documentation.
<br>
<br>
## <a id="check-expiration"></a>Check Certificate Expiration Dates
Before rotating TKGI certificates, determine which certificates are approaching expiration.
To review certificate expiration dates:
* Review certificate expiration dates using Ops Manager.
To see certificate expiration dates, open the Ops Manager and select the **Certificates** tab.
* Use CredHub to export the certificate expiration dates for the TKGI deployment or one or more clusters.
For more information, see
[How to get the expiry dates of all CA's & certificates in the PKS deployment and clusters](https://knowledge.broadcom.com/external/article/298609/)
in the Broadcom Support Knowledge Base.
* Use the TKGI CLI to export the certificate expiration dates for Kubernetes cluster certificates.
For more information, see [List TLS Certificates](rotate-cluster-certificates.html#certs-list)
in _Rotate Kubernetes Cluster Certificates_.
<br>
<br>
## <a id="rotate"></a>Rotating Certificates
<%= vars.recommended_by %> that TKGI administrators occasionally verify the expiration dates
of their TKGI certificates, and when needed, rotate expiring certificates.
See [Check Certificate Expiration Dates](#check-expiration) above to review your TKGI certificate expiration dates.
<p class="note warning"><strong>Warning:</strong>
Never use the CredHub Maestro <code>maestro regenerate ca/leaf --all</code> command to rotate TKGI certificates.
</p>
The following summarizes the rotation requirements for the certificates used in TKGI environments:
* **TKGI Control Plane Certificates**
<table>
<tr>
<th width=300px>Certificate</th>
<th>Default Expiration</th>
<th>Rotation Description</th>
</tr>
<tr>
<td><code>pxc_server_ca</code><br>and leaf certificates</td>
<td rowspan=4>Four years</td>
<td rowspan=4>See <a href="rotate-tile-certificates.html#control">Rotate TKGI Control Plane Certificates</a>
or <a href="https://knowledge.broadcom.com/external/article?legacyId=88309">How to rotate TKGI control plane CA and leaf certificates</a> in the Broadcom Support Knowledge Base.
</td>
</tr>
<tr><td><code>pxc_galera_ca</code><br>and leaf certificates</td></tr>
<tr><td><code>uaa_active_pks_saml_key_2018</code><br>and leaf certificates</td></tr>
<tr><td><code>kubo_odb_ca_2018</code><br>and leaf certificates</td></tr>
</table>
* **TKGI User-Configurable TKGI Certificates**
<table>
<tr>
<th width=300px>Certificate</th>
<th>Default Expiration</th>
<th>Rotation Description</th>
</tr>
<tr>
<td><code>pks_tls</code></td>
<td>Admin-defined</td>
<td>Open the TKGI API tab on the TKGI tile.
<br><br>The TKGI API Service certificate is used to secure access to the TKGI API endpoint.
</td>
</tr>
<tr>
<td><code>nsx-t-superuser-certificate</code></td>
<td>Admin-defined</td>
<td>See <a href="nsxt-generate-pi-cert.html#certificates-nsx-pid-rotate">Rotate the Principal Identity Certificate and Key</a>
in <i>Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key</i>
or <a href="https://knowledge.broadcom.com/external/article?legacyId=80355">How to renew the nsx-t-superuser-certificate used by Principal Identity user</a> in the Broadcom Support Knowledge Base.
<br><br>The NSX SuperUser certificate is used to secure access to the NSX manager.
</td>
</tr>
</table>
* **BOSH Certificates used by TKGI**
<table>
<tr>
<th width=300px>Certificate</th>
<th>Default Expiration</th>
<th>Rotation Description</th>
</tr>
<tr>
<td><code>bosh_dns_health_client_tls</code></td>
<td rowspan=4>One year</td>
<td rowspan=4>See <a href="https://knowledge.broadcom.com/external/article?legacyId=88187">How to rotate bosh-dns certificates in TKGI 1.9+ using maestro</a>
in the Broadcom Support Knowledge Base.
</td>
</tr>
<tr><td><code>bosh_dns_health_server_tls</code></td></tr>
<tr><td><code>dns_api_client_tls</code></td></tr>
<tr><td><code>dns_api_server_tls</code></td></tr>
</table>
<br>
To extend the default expiration period, see [Overriding Duration for Certificates](https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-operations-manager/2-10/tanzu-ops-manager/security-pcf-infrastructure-configure-certificate-duration-overrides.html)
in the Ops Manager documentation.
* **TKGI Kubernetes Cluster Certificates**
<table>
<tr>
<th width=300px>Certificate and leaf certificates</th>
<th>Default Expiration</th>
<th>Rotation Description</th>
</tr>
<tr>
<td><code>kubo_master_ca_2021</code>
<br><br>and leaf certificates:
<br><code>tls-kubernetes-2018</code>,
<br><code>tls-ncp-2018 (with NSX)</code>,
<br><code>tls-nsx-kube-proxy-2018 (with NSX)</code>
</td>
<td rowspan=4>Four years</td>
<td rowspan=4>See <a href="rotate-cluster-certificates.html">Rotate Kubernetes Cluster Certificates</a>.</td>
</tr>
<tr>
<td><code>kubo_ca_2018</code>
<br><br>and leaf certificates:
<br><code>tls-kubelet-2018</code>,
<br><code>tls-metrics-server-2018</code>,
<br><code>tls-kubelet-client-2018</code>,
<br><code>tls-kube-controller-manager-2018</code>
</td>
</tr>
<tr><td><code>etcd_ca_2018</code>
<br><br>and leaf certificates:
<br><code>tls-etcd-2018-2</code>,
<br><code>tls-etcdctl-2018-2</code>,
<br><code>tls-etcdctl-root-2018-2</code>,
</td>
</tr>
</table>
* **NSX-Only TKGI Kubernetes Cluster Certificates**
<table>
<tr>
<th width=300px>Certificate</th>
<th>Default Expiration</th>
<th>Rotation Description</th>
</tr>
<tr>
<td><code>tls-nsx-t</code></td>
<td>Two years</td>
<td rowspan=2>See <a href="rotate-cluster-certificates.html#rotate-only-nsx">Rotate NSX Certificates Only</a>
in <i>Rotate Kubernetes Cluster Certificates</i>.
<br>The NSX only certificates must be registered with NSX Manager.
</td>
</tr>
<tr>
<td><code>tls-nsx-lb</code></td>
<td>Five years</td>
</tr>
</table>