2021-01-29 22:13:28 +00:00
---
layout: docs
2022-09-14 22:29:21 +00:00
page_title: Rotate TLS Certificates for Consul on Kubernetes
description: >-
2022-09-15 19:33:39 +00:00
In Consul Helm version 0.29.0 and later, new server agent TLS certificates are issued every time the Helm version is upgraded. Learn how to manually trigger certificate rotation if they do not rotate automatically.
2021-01-29 22:13:28 +00:00
---
2022-09-14 22:29:21 +00:00
# Rotate TLS Certificates for Consul on Kubernetes
2021-01-29 22:13:28 +00:00
As of Consul Helm version `0.29.0`, if TLS is enabled, new TLS certificates for the Consul Server
are issued every time the Helm chart is upgraded. These certificates are signed by the same CA and will
continue to work as expected in the existing cluster.
Consul servers read the certificates from Kubernetes secrets during start-up and keep them in memory. In order to ensure the
2021-02-04 17:44:04 +00:00
servers use the newer certificate, the server pods need to be [restarted explicitly](/docs/k8s/upgrade#upgrading-consul-servers) in
2021-01-29 22:13:28 +00:00
a situation where `helm upgrade` does not restart the server pods.
To explicitly perform server certificate rotation, follow these steps:
1. Perform a `helm upgrade`:
```shell-session
2022-01-12 23:05:01 +00:00
$ helm upgrade consul hashicorp/consul --values /path/to/my/values.yaml
2021-01-29 22:13:28 +00:00
```
This should run the `tls-init` job that will generate new Server certificates.
2021-02-04 17:13:32 +00:00
1. Restart the Server pods following the steps [here](/docs/k8s/upgrade#upgrading-consul-servers).