Certificate Management

VCluster UI Job Status page

The Certificate Management page shows you your certificate information and enables you to manage your certificates.

VCluster UI certificate management page

Roles and permissions

The VCluster UI supports role-based access control (RBAC) to manage user permissions.

Migrating existing certificates

Existing certificates that were issued without a role assignment are not automatically migrated. RBAC roles are embedded in client certificates and cannot be changed after the certificate is created, so all existing certificates must be regenerated to include a role assignment before they can be used.

To regenerate your certificate:

  1. Remove the existing certificate from your browser's certificate store.
  2. In the VCluster UI, apply for a new certificate using the Apply Client Cert option.
  3. An administrator reviews and approves the certificate request.
  4. Download the newly issued certificate and install it in your local browser.

For more information about revoking certificates, see Revoke certificates.

Role overview

The following table provides a brief overview of VCluster UI roles:

Role Description
operator View VCluster status, start/stop VCluster, and manage job queue operations. Cannot scale/configure VCluster or manage users.
viewer Read-only access to view cluster, node, and subcluster status, and monitor job queue operations. Cannot perform administrative tasks.

Role permissions overview

The following table summarizes the operations available for each role:

Operation operator viewer
VCluster status / list
VCluster start/stop
VCluster scale/config
Create/manage MCP users
Job queue operations

Certificate management options

The following options are available to manage certificates:

  • Pending Certs list: Shows a list of the status of server and client certificates.

    VCluster UI certificate management pending certificates

  • Issued Certs list: Shows a list of the issued certficates.

    VCluster UI certificate management issued certificates

  • Revoked Certs list: Shows a list of the revoked certificates.

    VCluster UI certificate management revoked certificates

  • Renew Server Cert: Lets you renew your server certificate.

    VCluster UI certificate management renew server certificate

  • Renew Client Cert: Lets you renew your client certificate.

    VCluster UI certificate management renew client certificate

  • Apply Client Cert: Use this option to apply for a client certificate.

    VCluster UI certificate management apply client certificate

Revoke certificates

Only users with the admin role can revoke certificates. Revoking a certificate adds it to the Certificate Revocation List (CRL), immediately invalidating it.

To revoke a certificate:

  1. In the VCluster UI, go to the Certificate Management page.
  2. In the Issued Certs list, select the certificate you want to revoke and click the delete icon in the Action column.
  3. In the confirmation dialog, confirm that you want to revoke the certificate. A success message confirms the certificate has been revoked.

The certificate appears in the Revoked Certificates list and can no longer be used to authenticate.

To rotate the admin certificate and invalidate all certificates it issued:

  1. Run the following command to generate a new admin certificate:
    vcluster_server --init
    
  2. Install the new admin certificate in your browser.
  3. In the VCluster UI, go to the Certificate Management page.
  4. In the Issued Certs list, select the old admin certificate and click the delete icon in the Action column to revoke it.
  5. Confirm the revocation. The old admin certificate is added to the CRL, immediately invalidating it and any certificates it issued.