Renew and Replace the TLS Certificate
This document introduces how to renew and replace certificates of the corresponding components before certificates expire, taking TLS certificates between PD, TiKV, and TiDB components in the TiDB cluster as an example.
If you need to renew and replace certificates between other components in the TiDB cluster, TiDB server-side certificate, or MySQL client-side certificate, you can take similar steps to complete the operation.
The renewal and replacement operations in this document assume that the original certificates have not expired. If the original certificates expire or become invalid, to generate new certificates and restart the TiDB cluster, refer to Enable TLS between TiDB components or Enable TLS for MySQL client.
Renew and replace the certificate issued by cert-manager
If the original TLS certificate is issued by the cert-manager system, and the original certificate has not expired, the procedure varies with whether to renew the CA certificate.
Renew and replace the CA certificate
Only renew and replace certificates between components
When using cert-manager to issue certificates, you can configure the spec.renewBefore field of the Certificate resource to have cert-manager automatically renew the certificate before it expires.
cert-manager supports automatic renewal of component certificates and their corresponding Kubernetes Secret objects before expiration. To renew manually, refer to Renew certificates using cmctl.
For certificates between components, each component automatically reloads the new certificates when creating the new connection later.