# Script: renew.sh vcert renew --cert myapp.crt --key myapp.key --out-dir ./certs kubectl create secret tls myapp-tls --cert=./certs/myapp.crt --key=./certs/myapp.key --dry-run=client -o yaml | kubectl apply -f - Deploy as a Kubernetes CronJob (e.g., run every 5 days for a 7-day cert). In enterprise setups, the VMware CA can forward requests to a Venafi TPP server. vCert transparently supports this. Just set the appropriate policy name:
kubectl create secret tls myapp-tls --cert=myapp.crt --key=myapp.key kubectl create configmap ca-bundle --from-file=ca.crt Mount in your deployment: vmware vcert tool
vcert health | Command | Purpose | |---------|---------| | vcert health | Verify CA server reachability | | vcert gen | Generate key and request certificate | | vcert renew | Renew an existing certificate | | vcert revoke | Revoke a certificate by serial/ID | | vcert list | List issued certificates (RBAC dependent) | | vcert download | Fetch a previously issued certificate | Detailed Example: Generating a TLS Certificate for a Web App Let's walk through generating a server certificate for a web application called myapp.default.svc.cluster.local . Step 1: Create a certificate request configuration Create request.json : # Script: renew
Enter . This CLI tool is designed to simplify the generation, signing, and retrieval of X.509 certificates from a centralized VMware Certificate Authority (CA). Just set the appropriate policy name: kubectl create
# Linux example wget https://your-vcenter-or-pks-domain/api/cli/vcert-linux-amd64 chmod +x vcert-linux-amd64 sudo mv vcert-linux-amd64 /usr/local/bin/vcert Verify installation: