The TLS certificates for container-native virtualization components are created at the time of installation and are valid for one year. You must manually refresh these certificates before they expire.

Refreshing TLS certificates

To refresh the TLS certificates for container-native virtualization, download and run the rotate-certs script. This script is available from the kubevirt/hyperconverged-cluster-operator repository on GitHub.

When refreshing the certificates, the following operations are impacted:

  • Migrations are canceled

  • Image uploads are canceled

  • VNC and console connections are closed

  • Ensure that you are logged in to the cluster as a user with cluster-admin privileges. The script uses your active session to the cluster to refresh certificates in the openshift-cnv namespace.

  1. Download the rotate-certs.sh script from GitHub:

    $ curl -O https://raw.githubusercontent.com/kubevirt/hyperconverged-cluster-operator/master/tools/rotate-certs.sh
  2. Ensure the script is executable:

    $ chmod +x rotate-certs.sh
  3. Run the script:

    $ ./rotate-certs.sh -n openshift-cnv

The TLS certificates are refreshed and valid for one year.