This page describes how to update the reference to the vCenter certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects the vCenter.caCertPath field in the admin cluster configuration file and the user cluster configuration files for Google Distributed Cloud.
You can update the certificate references with the gkectl update command as described here.
Update the referenced vCenter certificate in the cluster configuration files
To update the running admin and user clusters to use the new certificate:
Retrieve the new vCenter certificate and unzip it:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page explains how to update the vCenter certificate reference in Google Distributed Cloud admin and user clusters when the vCenter certificate has changed.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves updating the \u003ccode\u003evCenter.caCertPath\u003c/code\u003e field in both the admin and user cluster configuration files to point to the new certificate file.\u003c/p\u003e\n"],["\u003cp\u003eThe new certificate is downloaded from the vCenter server, saved as \u003ccode\u003evcenter-ca.pem\u003c/code\u003e, and the path to this file is specified in the cluster configurations.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egkectl update\u003c/code\u003e command is then used to update the running admin and user clusters with the new certificate information using the updated configuration file.\u003c/p\u003e\n"],["\u003cp\u003eIt is important to update the \u003ccode\u003evCenter.caCertPath\u003c/code\u003e in the admin workstation configuration file if you create a new one, to make sure that it references the current certificate.\u003c/p\u003e\n"]]],[],null,["# Update vCenter certificate references\n\n\u003cbr /\u003e\n\nThis page describes how to update the reference to the vCenter certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects the `vCenter.caCertPath` field in the admin cluster configuration file and the user cluster configuration files for Google Distributed Cloud.\n\nYou can update the certificate references with the `gkectl update` command as described here.\n\nUpdate the referenced vCenter certificate in the cluster configuration files\n----------------------------------------------------------------------------\n\nTo update the running admin and user clusters to use the new certificate:\n\n1. Retrieve the new vCenter certificate and unzip it:\n\n ```\n curl -o certs.zip https://VCENTER_IP_ADDRESS/certs/download.zip\n unzip certs.zip\n ```\n\n You can use the `-k` flag if you want to allow unknown certificates. This is to avoid any certificate issues you may have accessing vCenter.\n2. Save the Linux certificate to a file named `vcenter-ca.pem`.\n\n3. In your admin cluster configuration file, set [`vCenter.caCertPath`](/anthos/clusters/docs/on-prem/1.9/how-to/admin-cluster-configuration-file#vcenter-cacertpath-field) to the path of your new `vcenter-ca.pem` file.\n\n4. Update your admin cluster configuration file:\n\n ```\n gkectl update admin --config ADMIN_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n ```\n\n Replace:\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_CONFIG\u003c/var\u003e with the path of your admin cluster configuration file.\n5. In each of your user cluster configuration files, set [`vCenter.caCertPath`](/anthos/clusters/docs/on-prem/1.9/how-to/user-cluster-configuration-file#vcenter-cacertpath-field) to the path of your new `vcenter-ca.pem` file.\n\n6. For each of your user clusters, run gkectl update command:\n\n ```\n gkectl update cluster --config USER_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG\n ```\n\n \u003cbr /\u003e\n\n Replace:\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG\u003c/var\u003e with the path of your user cluster configuration file.\n\nOnce the commands run successfully, the clusters will start using the new certificate.\n| **Note:** The `vCenter.caCertPath` field also appears in the admin workstation configuration file. If you want to create a new admin workstation, make sure that you edit the \\``vCenter.caCertPath` field to reference the current certificate."]]