Certificate rotation is very essential for security of the cluster and the communication of its components. This page shows how to rotate certificates for cluster managed by RKE and Rancher.

NOTE: be aware that certificates of clusters that join Rancher but not created by it, are only managed by the tool that deployed the cluster.

RKE created clusters

  • Rotate all services while using the same CA (certificate authority). It is important to have the cluster.yml that was used to create the cluster.
rke cert rotate --config cluster.yml


  •  Rotate all services and CA.
rke cert rotate --rotate-ca --config cluster.yml

Rotating CA will cause the revoke certificates by the older CA.


  • Rotate specific service
rke cert rotate --service kubelet --config cluster.yml

Rancher created clusters

Select Rotate Certificates in the cluster Management window.

image-2022-04-04-15-59-36-204.png

Options to rotate all services or individual ones

image-2022-04-04-16-05-49-033.png



  • No labels