openshift · mburke5678 · Apr 17, 2025 · Apr 17, 2025 · Apr 25, 2025 · Apr 25, 2025
diff --git a/release_notes/ocp-4-19-release-notes.adoc b/release_notes/ocp-4-19-release-notes.adoc
@@ -427,6 +427,16 @@ Starting in {product-title} 4.14, Extended Update Support (EUS) is extended to t
 [id="ocp-release-notes-machine-config-operator_{context}"]
 === Machine Config Operator
 
+[id="ocp-release-notes-machine-config-operator-cert-changes_{context}"]
+==== Changes to the Machine Config Operator
+The Machine Config Server (MCS) CA bundle created by the installation program is now stored in the `machine-config-server-ca` config map in the `openshift-machine-config-operator` namespace. The bundle was previously stored in the `root-ca` configmap in the `kube-system namespace`. The `root-ca` configmap is no longer used in a cluster that cluster upgrades to {product-title} {product-version}. This change was made to make it clear that this CA bundle is managed by the Machine Config Operator (MCO).
+
+The MCS signing key is stored in the `machine-config-server-ca` secret in the `openshift-machine-config-operator` namespace.
+
+The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon installation or upgrade to {product-title} {product-version}, the CA signing key is not retained. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period.
-The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon installation or upgrade to {product-title} {product-version}, the CA signing key is not retained. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period.
+The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon upgrade to {product-title} {product-version}, the CA signing key is not present. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period.
-The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon installation or upgrade to {product-title} {product-version}, the CA signing key is not retained. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period.
+The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon upgrade to {product-title} {product-version}, the CA signing key is not present. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period.
+
+For more information about the MCO certificates, see ../security_and_compliance/certificate-types-and-descriptions.adoc#cert-types-machine-config-operator-certificates
+
 [id="ocp-release-notes-management-console_{context}"]
 === Management console