Update vCenter CA certificate referencesStay organized with collectionsSave and categorize content based on your preferences.
This page describes how to update the reference to the vCenter CA certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects thevCenter.caCertPathfield in the admin cluster configuration file and the user cluster configuration files for Google Distributed Cloud.
You can update the certificate references with thegkectl updatecommand as described here.
Update the referenced vCenter CA certificate in the cluster configuration files
To update the running admin and user clusters to use the new certificate:
Retrieve the new vCenter CA certificate and extract it:
You can use the-kflag if you want to allow unknown certificates. This is to avoid any certificate issues you may have accessing vCenter.
Determine which of the vCenter certificates is valid. Only one of the Linux certificate files in the extracted..../certs/linfolder is the valid vCenter certificate. To determine which file is the valid vCenter certificate, do the following:
Set the following environment variables from the Admin Workstation wheregovcis already installed. If not already done,download and install govc tool:
VCENTER_IP_ADDRESS_OR_FQDN: the IP address or FQDN of the vCenter Server.
VCENTER_USERNAME: the username of the vCenter Server.
VCENTER_PASSWORD: the password for the specified username.
FULL_PATH_OF_EXTRACTED_LIN_FILE: the full path to the Linux certificate file for which you are conducting a validity test.
To verify that the vCenter certificate is valid, run thegovc aboutcommand:
govc about
If the vCenter certificate is valid, thegovc aboutcommand prints details about the vCenter Server similar to the following:
FullName: VMware Center Server 7.0.3 build-24322018
Name: VMware Center Server
Vendor: VMware, Inc.
Version: 7.0.3
Build: 24322018
OS type: linux-x64
API type: VirtualCenter
API version: 7.0.3.0
Product ID: vpx
UUID: 475fa366-faa9-43f0-9417-e6dadc55514c
If the certificate is invalid, you should see anx509error. If you see anx509error, update theFULL_PATH_OF_EXTRACTED_LIN_FILEenvironment variable to point at a different Linux certificate file in the extracted..../certs/linfolder, and then run thegovc aboutcommand again. Repeat steps a. and b. until you locate the valid certificate, or until you are done testing each of the Linux certificate files in the extracted..../certs/linfolder.
To backup the old vCenter CA certificate file (which is at the path specified in thevCenter.caCertPathfield of your admin cluster configuration file), rename it tovcenter-ca-cert.pem.old.
Rename the new valid certificate file in the..../certs/linfolder tovcenter-ca-cert.pemand then move it to the path specified in thevCenter.caCertPathfield of your admin cluster configuration file.
If you created your admin workstation withgkeadm, make sure that thevCenter.caCertPathin the admin workstation configuration file has the same path as the
admin cluster configuration file.
If Controlplane V2 is enabled on your user clusters, which is required for
version 1.32 and higher, update your user clusters first and then the admin
cluster. For user clusters that don't have Controlplane V2 enabled
(referred to as kubception), update the admin cluster first and then the user
clusters.
Controlplane V2
In each of your user cluster configuration files, setvCenter.caCertPathto the path of your newvcenter-ca-cert.pemfile.
For each of your user clusters, run thegkectl updatecommand:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2026-01-22 UTC."],[],[]]
