How to renew kubernetes certificates3 min read
During the setup of the Kubernetes cluster, you might have seen a folder called /etc/kubernetes/pki is created. If you go inside that folder you can see many certificates and Keys have been created.
These certificates are been used for interconnection between the components of Kubernetes such as client-to-server, api-server to etcd, kubelet to api-server, etc, For all these connections are enabled with TLS.
By default when you setup Kubernetes cluster these certificates are created for one year, except the Kubernetes CA
Here we have 3 CA in Kubernetes,
- front-proxy ca
The CA is valid for 9 years. So the chances of periodic renewal of the CA are very less compared to other certificates. whereas other certificates you need to renew once a year, otherwise, it will break the functionality of the Kubernetes cluster.
Below is the command to check when certificates expire.
Below is the expected output.
Let’s assume that you need to renew etcd-server certificate and key, kubeadm utility help you renew the certificate
Before renewing it’s recommended to perform the backup of /etc/kubernetes/pki folder .
Execute the below command.
This will renew the certificate for etcd-server, for verification you can check the timestamp of the server.crt and server.key file under /etc/kubernetes/pki/etcd folder
Another way of verification is to use the same expiry command
from this, you will be able to understand that certificate expiry data has been changes.
You can do for all the certificates in the Kubernetes cluster based on the requirement.
replace the name with the certificate name
1.19+ version can remove the alpha keyword from the command.
so it will be like