Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Operator Nexus deploys an in-cluster public key infrastructure (PKI) on every cluster. Each cluster maintains a self-signed certificate authority (CA) hierarchy that never leaves the site, ensuring that cryptographic trust is isolated per deployment. This isolation minimizes the impact of any compromise.
PKI architecture overview
- Per-cluster trust boundary: Each Azure Operator Nexus instance provisions an independent root CA. There's no shared CA across clusters, and certificates are never reused between sites.
- Self-contained issuance: Certificate issuance and renewal are performed locally inside the Kubernetes control plane. Certificates aren't requested from external or centralized PKI services.
- Purpose-specific issuers: Dedicated intermediate issuers sign certificates for distinct workloads (human-operated consoles versus internal services) to minimize privilege scope.
This architecture allows customers to operate in disconnected or semi-connected environments while retaining the benefits of TLS authentication, encryption in transit, and cryptographic auditability.
Certificate management with cert-manager
Azure Operator Nexus relies on cert-manager to automate certificate lifecycles:
- Issuer objects are defined for each certificate purpose (interface access, internal services, and other specialized workloads).
- Certificate resources request leaf certificates from the appropriate issuer, including Subject Alternative Names (SANs) required by platform components.
- Renewal automation is driven by cert-manager, which renews leaf certificates before expiration and rotates them transparently across the platform.
- Secret distribution to pods and services is handled through Kubernetes secrets and projected volumes, ensuring workloads always present valid certificates.
Certificate rotation and lifetime
- Automatic rotation: cert-manager renews certificates before they expire based on the
Certificateresource settings (such asdurationandrenewBefore). - Default certificate lifetime: Most Azure Operator Nexus leaf TLS certificates are issued for 70 days.
- Exceptions: Some components use different lifetimes.
- Etcd snapshotter: Issues server and client certificates with a 1-year lifetime.
- Token service: Issues its CA and server certificates with a 3-year lifetime.
- Renewal window: Certificates are typically renewed about 23 days before expiration.
Important
If a TLS certificate expires, clients that validate TLS refuse the connection. Some user-facing tools let you bypass validation (for example, a browser click-through), but platform services require validation to stay on. Renew the certificate so workloads pick up the updated secret.
Warning
iDRAC expects a 60-day certificate lifetime and raises alerts as expiration nears. This differs from the platform 70-day lifetime and is under review. Certificate renewal currently starts about 13 days before the iDRAC-expected expiration.
Because all issuance is in-cluster, operators retain full control over the trust fabric without depending on external connectivity or services.
Issuer hierarchy
Two primary issuers are deployed per cluster to align with the different trust requirements of human-operated interfaces and service workloads.
Interface issuer
- Purpose: Signs TLS certificates used by resource interfaces, including bare metal machine BMC/iDRAC and storage appliance management endpoints.
- Scope: Only certificates for management endpoints.
- Rotation: cert-manager renews interface certificates before expiration. These certificates are typically issued for 70 days and renewed before expiry.
Infra issuer
- Purpose: Issues certificates for platform microservices and service-to-service APIs.
- Scope: Internal webhook services and other platform workloads.
- Rotation: Certificates are automatically rotated. These certificates are typically issued for 70 days and renewed before expiry.
Certificate usage scenarios
| Scenario | Issuer | Example consumers | Trust objective |
|---|---|---|---|
| Out-of-band management access | Interface | iDRAC consoles, storage appliance dashboards, break-glass interfaces | Provide encrypted and authenticated human access paths |
| Platform control plane traffic | Infra | admission webhooks, platform microservices | Ensure encrypted service-to-service communication and mutual authentication |
Viewing CA certificates and hashes
Operators often need to verify that TLS endpoints present the expected CA certificate and fingerprint. Azure Operator Nexus exposes this information through both the Azure portal and Azure CLI.
Note
Viewing CA certificate metadata requires the Azure Operator Nexus 2025-09-01 API version or later.
Bare metal machine resources
Azure portal:
- Navigate to Azure Operator Nexus > Bare metal machines.
- Open the target bare metal machine resource.
- Select JSON View.
- Select 2025-09-01 or later API version.
- Review the CA certificate value and the SHA-256 hash of the issuer that signed the active TLS certificate.
Azure CLI:
az networkcloud baremetalmachine show \ --subscription <subscription> --resource-group <cluster-managed-resource-group> \ --name <bareMetalMachineName> \ --query "caCertificate" \ --output tsvThis command returns the PEM-encoded CA certificate that issued the current TLS certificate and its SHA-256 hash (fingerprint) for quick comparison against trusted values.
Storage appliance resources
Azure portal:
- Navigate to Azure Operator Nexus > Storage appliances.
- Open the target storage appliance resource.
- Select JSON View.
- Select 2025-09-01 or later API version.
- Review the CA certificate value and the SHA-256 hash of the issuer that signed the active TLS certificate.
Azure CLI:
az networkcloud storageappliance show \ --subscription <subscription> --resource-group <cluster-managed-resource-group> \ --name <storageApplianceName> \ --query "caCertificate" \ --output tsv
Related content
PKI is one component of Azure Operator Nexus security. The PKI system works with these credential rotation mechanisms to provide comprehensive authentication and encryption across the platform.