Using a ManagementSecretRotation CR to update the management CA

About this task

Applying the ManagementSecretRotation CR (Custom Resource) is an alternative method for renewing the management_CR-ca and its dependencies, and then restarting the dependent pods. This option applies only to the management_CR-ca.

Restriction: The ManagementSecretRotation CR can only be used with a stand-alone deployment using a single data center. Do not attempt to use it with a two data center configuration or a Cloud Pak for Integration deployment.


  1. Create a ManagementSecretRotation CR (for example, operationcr.yaml) with contents similar to the following example:
    kind: ManagementSecretRotation
      name: rotate-issuer
      managementCluster: management_CR_name
        - management_CR-ca

    where management_CR_name is the name of the management CR that the system was deployed with.

  2. Apply the CR by running the following command:
    kubectl create -f operationcr.yaml -n namespace


    • namespace is the namespace where you installed the Management subsystem
    • operationcr.yaml is the file the contains the CR

    Applying the CR updates the management_CR-ca, along with any certificates that are signed by it. To view a list of the updated certificates, run the following command and check the status block of the CR:

    kubectl get managementsecretrotation rotate-issuer -n namespace

    In the command, replace namespace with the namespace where you installed the Management subsystem.