K3s CA

Location

• TPVM: /apps/rancher/k3s/server/tls/server-ca.crt
• Server: /var/lib/rancher/k3s/server/tls/server-ca.crt

Expiry and Alerts

The certificate is valid for 10 years from the date of installation and is regenerated after every upgrade. It supports the following alerts which effects the health of XCO security subsystem:

• CertificateExpiryNoticeAlert
• CertificateExpiredAlert
• CertificateUnreadableAlert

For more information, see Fault Management - Alerts.

Renewal

You can renew or regenerate the K3s CA by using either script or command.

To renew or regenerate the K3S CA, use the renewal script efa_k3s_renew_certs.sh.

sudo bash <path to the script>/efa_k3s_renew_certs.sh --type ca

To renew or regenerate the K3S CA, use the efa certificate server renew command.

efa certificate server renew --cert-type

Note

• In TPVM, the renewal script and command are available in /apps/efa/ and /opt/efa/ on a server installation.
• If there are any third-party certificates already installed on XCO, reinstall these certificates after K3s CA certificates are regenerated.

On renewal of the certificate, CertificateRenewalAlert is raised which changes the health of the system to green.