This message was deleted.

Run it on all the ones you want rotated. It only rotates the server certs, the CA certs require a different process, and agent certs are rotated every startup.

we want to rotate the CA certs, but could do with just rotating the client ones, from what i've seen on one thread, it seems the

certificate rotate

command does not rotate client certs, so we're just rotating CA

Read the docs. That thread is not relevant to current releases of k3s that have specific commands to rotate the CA certs.

ah so it's self signed CA certs

on a somewhat related note, “The server token can be used to join both server and agent nodes to the cluster. It cannot be changed once the cluster has been created, and anyone with access to the server token essentially has full administrator access to the cluster.” - does this mean a k3s server cannot move from using the secure token to using the insecure version (provided the password remains the same)?

It is only the password portion of the token that can't be changed. And actually that needs to be updated, there is now support for token rotation via another subcommand.

Hey one more question, looking at the ca rotation script, it mentions this snippet in a comment

The resulting cluster CA bundle will
# allow existing certificates to be trusted up until the original root CAs expire.

Does that mean client certs signed by the old CA would still be valid? what if I'm rotating because there's a risk of a compromised client cert?

Yeah rotating the server token, I haven't written the docs page yet, but you can read the PR https://github.com/k3s-io/k3s/pull/8265 for some examples.