Stay organized with collections
Save and categorize content based on your preferences.
After the device is bootstrapped successfully, the administrator must rotate the
secrets every three months to ensure that the device is compliant and secure.
Replace KUBECONFIG with the path to the kubeconfig
file for the org infrastructure cluster saved during the
emergency credentials setup.
The certificate that you generated is valid for three months and is not
renewed until you manually rotate the certificate using the preceding
process. Keep track of the date when you rotated the TLS certificate so
that you know when to repeat this process. Generate the certificate every
three months. Failing to rotate the TLS certificate every three months will
result in network secret rotation failure, as well as
upgrade failure.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eAdministrators must rotate device secrets every three months to maintain security and compliance.\u003c/p\u003e\n"],["\u003cp\u003eBefore starting, users must meet laptop prerequisites and download, install, and upgrade the \u003ccode\u003egdcloud\u003c/code\u003e CLI tools.\u003c/p\u003e\n"],["\u003cp\u003eRotating network access secrets involves connecting a bootstrapper machine to the switch and setting up bootstrapper IPs.\u003c/p\u003e\n"],["\u003cp\u003eThe TLS certificate on the switch must be rotated using a command that also requires the path to the kubeconfig.\u003c/p\u003e\n"],["\u003cp\u003eSwitch login passwords must also be rotated using a separate command, which also requires the path to the kubeconfig.\u003c/p\u003e\n"]]],[],null,["# Manage internal network access compliance\n\nAfter the device is bootstrapped successfully, the administrator must rotate the\nsecrets every three months to ensure that the device is compliant and secure.\n\nBefore you begin\n----------------\n\nComplete the following steps:\n\n1. Ensure that you meet the [laptop prerequisites](/distributed-cloud/hosted/docs/latest/appliance/admin/laptop).\n2. Complete the following actions regarding the `gdcloud` command-line interface (CLI) tools:\n 1. [Download](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-download) the `gdcloud` CLI tools.\n 2. [Install](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-install) the `gdcloud` CLI tools.\n 3. [Upgrade](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-upgrade) the `gdcloud` CLI tools as required.\n\nRotate the network access secrets\n---------------------------------\n\nTo rotate network access secrets, complete the following steps on the\nbootstrapper machine:\n\n1. Connect a bootstrapper machine to port 12 of the switch.\n2. Set up the bootstrapper IPs:\n\n gdcloud appliance system network init \\\n --config \u003cvar translate=\"no\"\u003eCELLCONFIG\u003c/var\u003e\\\n --data-interface \u003cvar translate=\"no\"\u003eDATA_INTERFACE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCELLCONFIG\u003c/var\u003e: the path to the cellconfig generated after [configuring the appliance](/distributed-cloud/hosted/docs/latest/appliance/admin/setup#configure-the-appliance).\n - \u003cvar translate=\"no\"\u003eDATA_INTERFACE\u003c/var\u003e: the network interface name on the bootstrapper connected to port 12 of the switch.\n3. Rotate the TLS certificate on the switch:\n\n gdcloud appliance rotate switch-certificate \\\n --kubeconfig \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e with the path to the kubeconfig\n file for the org infrastructure cluster saved during the\n [emergency credentials setup](/distributed-cloud/hosted/docs/latest/appliance/admin/setup#back_up_emergency_credentials).\n\n The certificate that you generated is valid for three months and is not\n renewed until you manually rotate the certificate using the preceding\n process. Keep track of the date when you rotated the TLS certificate so\n that you know when to repeat this process. Generate the certificate every\n three months. Failing to rotate the TLS certificate every three months will\n result in network secret rotation failure, as well as\n [upgrade](/distributed-cloud/hosted/docs/latest/appliance/admin/update-patch) failure.\n4. Rotate all login passwords on the switch:\n\n gdcloud appliance rotate switch-credentials \\\n --kubeconfig \u003cvar translate=\"no\"\u003eKUBECONFIG\u003c/var\u003e"]]