KOTS: Manually Updating Admin TLS Certificate

Kellen Fields
Kellen Fields

Author: Kellen F.

Date: 12/22/2023

Audience: Everyone

Environmental details: Self-hosted KOTS


To set the KOTS Admin Console's TLS certificate (if it has expired or you no longer want to use the provided self-signed certificate), there is a setup step you must take to be able to navigate back to the http://<jamaconnecthostname>:8800/tls site to re-apply.


1. On the application server CLI, run the following command to allow the upload of a new TLS certificate: 

 kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite

2.  Next, use this command to retrieve the name of the kurl-proxy pod we will delete in the next step

 kubectl get pods -A | grep kurl-proxy | awk '{print $2}'

3. Now that we have the pod's name, delete the proxy server pod,

kubectl delete pods KURL_PROXY_POD

, replacing KURL_PROXY_POD with the name retrieved in step 2.

4. This pod will automatically restart. Once it is up, you can navigate to http://<jamaconnecthostname>:8800/tls and upload a new certificate.


Suppose you have previously uploaded a certificate or used a self-signed certificate. In that case, the KOTS admin page will only allow you to upload a new certificate if you follow these steps.

Additional Resources:



Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request


1 comment

  • Comment author

    Just a quick update - this is also the preferred method of updating your TLS certificate. If you're having trouble uploading a PEM certificate, try this method with your certificate in .key and .crt format. You should be able to get a copy from your Certificate Authority.


Please sign in to leave a comment.