This page describes how to update the reference to the vCenter CA certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects the vCenter.caCertPath field in the admin cluster configuration file and the user cluster configuration files for Google Distributed Cloud.
You can update the certificate references with the gkectl update command as described here.
Update the referenced vCenter CA certificate in the cluster configuration files
To update the running admin and user clusters to use the new certificate:
Retrieve the new vCenter CA certificate and unzip it:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis document outlines the process for updating the vCenter CA certificate reference in Google Distributed Cloud admin and user clusters.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003evCenter.caCertPath\u003c/code\u003e field in both admin and user cluster configuration files needs to be updated to the path of the new \u003ccode\u003evcenter-ca.pem\u003c/code\u003e file.\u003c/p\u003e\n"],["\u003cp\u003eUse the \u003ccode\u003egkectl update\u003c/code\u003e command to apply the new certificate to both the admin cluster and each user cluster, after the corresponding configuration file updates are completed.\u003c/p\u003e\n"],["\u003cp\u003eAfter updating the certificate reference and applying the update, verify the health of the admin and each user cluster using the \u003ccode\u003egkectl diagnose cluster\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eIf creating a new admin workstation, be sure to update the \u003ccode\u003evCenter.caCertPath\u003c/code\u003e field in the admin workstation configuration file to the current vCenter certificate path.\u003c/p\u003e\n"]]],[],null,["# Update vCenter CA certificate references\n\n\u003cbr /\u003e\n\nThis page describes how to update the reference to the vCenter CA certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects the `vCenter.caCertPath` field in the admin cluster configuration file and the user cluster configuration files for Google Distributed Cloud.\n\nYou can update the certificate references with the `gkectl update` command as described here.\n\nUpdate the referenced vCenter CA certificate in the cluster configuration files\n-------------------------------------------------------------------------------\n\nTo update the running admin and user clusters to use the new certificate:\n\n1. Retrieve the new vCenter CA certificate and unzip it:\n\n ```\n curl -o certs.zip https://VCENTER_IP_ADDRESS/certs/download.zip\n unzip certs.zip\n ```\n\n You can use the `-k` flag if you want to allow unknown certificates. This is to avoid any certificate issues you may have accessing vCenter.\n2. Save the Linux certificate to a file named `vcenter-ca.pem`.\n\n3. In your admin cluster configuration file, set [`vCenter.caCertPath`](/anthos/clusters/docs/on-prem/1.15/how-to/admin-cluster-configuration-file#vcenter-cacertpath-field) to the path of your new `vcenter-ca.pem` file.\n\n4. Update your admin cluster:\n\n ```\n gkectl update admin --config ADMIN_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_CONFIG\u003c/var\u003e with the path of your admin cluster configuration file.\n\n After the update command completes, the admin cluster will use the new\n certificate.\n5. Verify that the admin cluster is healthy:\n\n ```\n gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n ```\n\n For more information, see\n [Diagnose an admin cluster](/anthos/clusters/docs/on-prem/1.15/diagnose#diagnose_admin_cluster).\n6. In each of your user cluster configuration files, set [`vCenter.caCertPath`](/anthos/clusters/docs/on-prem/1.15/how-to/user-cluster-configuration-file#vcenter-cacertpath-field) to the path of your new `vcenter-ca.pem` file.\n\n7. For each of your user clusters, run the `gkectl update` command:\n\n ```\n gkectl update cluster --config USER_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n ```\n\n \u003cbr /\u003e\n\n Replace:\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG\u003c/var\u003e with the path of your user cluster configuration file.\n\n After the update command completes for a particular user cluster, the cluster\n will use the new certificate.\n8. Verify that the user cluster is healthy:\n\n ```\n gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --cluster-name USER_CLUSTER_NAME\n ```\n\n For more information, see\n [Diagnose a user cluster](/anthos/clusters/docs/on-prem/1.15/diagnose#diagnose_user_cluster).\n\n| **Note:** The `vCenter.caCertPath` field also appears in the admin workstation configuration file. If you want to create a new admin workstation, make sure that you edit the `vCenter.caCertPath` field to reference the current certificate."]]
