Skip to content

feat: add CLI subcommand to update admin console TLS certificates #3708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
banjoh wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add CLI subcommand to update admin console TLS certificates #3708

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e917db7
feat: add CLI subcommand to update admin console TLS certificates
banjoh Dec 10, 2025
bbba46e
Update embedded-tls-certs.mdx
ajp-io Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 30 additions & 3 deletions docs/enterprise/embedded-tls-certs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,42 @@ This topic describes how to update custom TLS certificates in Replicated Embedde

## Update Custom TLS Certificates

Users can provide custom TLS certificates with Embedded Cluster installations and can update TLS certificates through the Admin Console.
Users can use the CLI or the Admin Console to update the TLS certificates used to secure the Admin Console in Embedded Cluster installations. This is useful when certificates expire or need to be rotated regularly.

### Update Using the CLI (Recommended)

:::note
The `admin-console update-tls` command is available in Embedded Cluster v2.14.0 and later.
:::

The `admin-console update-tls` command provides a secure way to update TLS certificates for the Admin Console.

To update TLS certificates using the CLI:

1. SSH onto a controller node where Embedded Cluster is installed. Ensure the new TLS certificate and key files that you want to use are present on the node.

1. Run the following command to update the TLS certificate and key:

```bash
sudo ./APP_SLUG admin-console update-tls --tls-cert PATH_TO_CERT --tls-key PATH_TO_KEY
```

Replace:
- `APP_SLUG` with the unique slug of the installed application.
- `PATH_TO_CERT` with the path to the TLS certificate file.
- `PATH_TO_KEY` with the path to the TLS key file.

### Update Using the Admin Console

You can also update TLS certificates through the Admin Console. This method requires temporarily enabling anonymous uploads.

:::important
Adding the `acceptAnonymousUploads` annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again.

Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk.
Replicated recommends using the CLI method above when possible. If you use this method, complete the upload process quickly to minimize the vulnerability risk.
:::

To upload a new custom TLS certificate in Embedded Cluster installations:
To upload a new custom TLS certificate through the Admin Console:

1. SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl:

Expand Down