Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Certificate rotation for your AKS cluster to improve the security

  • February 23, 2021
  • 5 min read
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.


As requirements for some company, when an employee leaves the company, it is to remove data and accesses.

The problem with Kubernetes, is that you have credentials, in your kube file. So, if you leave the company, get the file with you, and copy it to your personal computer, you will be able to connect to the AKS cluster, except if you implemented network restriction for example, by authorizing only the public IP of you company.

So, one way to remove these accesses, is to renew the CA of your AKS cluster. But, all other employees must renew their credentials, after this CA rotation certificate. And to renew these credentials, you need… an Azure CLI access, with your company credentials 🙂 So this method is perfect.

You need to be careful when you do this CA rotation, because your cluster will be down for some minutes (maximum 30 minutes). Why? Because all of your pods will be redeployed with this new CA 🙂

So, to start, execute the following command:

CA rotation certificate

When it’s done, if you try to get pods for example, you will have the following error:

Verification error

So, you need to login, with az login, and get credentials again:

Try log in with az login

Now, you will be able to get your pods again:

Get your pods again

And, as you can see, the age of pods are pretty new, because they have been redeployed with the new CA.

If you use the ca.crt in your secret, for example, you will need to update them, with the following script:


What it will do here? It will get you ca.crt that you just get, and update each secret with this new one:

Update each secret with this new ca.crt that you just get

Hey! Found Florent’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!