# Manage Certificates and Keys

## Certificates Authorities
Several certificates authorities are generated when you create a cluster. You can retrieve the public certificate for some of these authorities by using the `exo compute sks authority-cert <CLUSTER-NAME|ID> <AUTHORITY>` command in the CLI.

The authorities are:

- `kubelet`: the authority generating certificates for the Kubelet daemon running on the workers.
- `aggregation`: the authority used by the aggregation layer.


##  Addon credentials
Both the Exoscale Cloud Controller Manager CCM and Exoscale Container Storage Interface CSI addons need a set of credentials to communicate with the platform. 
An IAM role and api key are created automatically per-addon and per-cluster on your account when you create or update a cluster with addons selected.
The lifecycle of these credentials is managed by Exoscale. They are deleted automatically once the cluster is deleted.

Credentials managed by Exoscale SKS all have following naming scheme: `sks-<addon>-<cluster-id>` eg. `sks-ccm-859ece7e-f4ec-4eab-a77f-d06a1cfc08fd`

In case of unintended deletion of the credentials one can *rotate* specific credentials
- from the CLI `exo compute sks rotate-ccm-credentials <CLUSTER-NAME|ID>` or soon `exo compute sks rotate-csi-credentials <CLUSTER-NAME|ID>`
- from the Portal under cluster details