Kubenatives Newsletter

Kubenatives Newsletter

Share this post

Kubenatives Newsletter
Kubenatives Newsletter
Kubernetes Certificate Management: Everything You Need to Know
Copy link
Facebook
Email
Notes
More

Kubernetes Certificate Management: Everything You Need to Know

Kubenatives Newsletter - Edition #14

Sharon Sahadevan's avatar
Sharon Sahadevan
Mar 16, 2025
∙ Paid

Share this post

Kubenatives Newsletter
Kubenatives Newsletter
Kubernetes Certificate Management: Everything You Need to Know
Copy link
Facebook
Email
Notes
More
Share

If you’re running a Kubernetes cluster with kubeadm, you might think certificates are just a "set-and-forget" feature—but they’re crucial to securing your cluster.

In this issue, we’ll cover everything about Kubernetes certificates, including:

✅ How Kubernetes uses certificates
✅ Where certificates are stored
✅ Certificate expiration and renewal
✅ CA certificate management
✅ Automating certificate rotation
✅ Handling internal CAs in secure enterprise environments
✅ How update-ca-trust works in Linux

By the end, you'll have a solid understanding of Kubernetes certificate management and the tools to ensure your cluster remains secure and operational.

Let’s dive in! 🚀


How Kubernetes Uses Certificates

Kubernetes uses TLS certificates for secure communication between:

🔹 The API server and kubelet
🔹 The API server and etcd
🔹 The API server and the controller manager, scheduler, and other control plane components
🔹 Users (kubectl) accessing the API server
🔹 External services interacting with Kubernetes

Each component authenticates with certificates to ensure that no unauthorized services can communicate with the cluster.


Where Kubernetes Stores Certificates

When you create a cluster using kubeadm, it automatically generates certificates and stores them in:

📁 /etc/kubernetes/pki/

Here’s a breakdown of key files:

Each of these certificates plays a role in securing different parts of the Kubernetes cluster.


Checking Kubernetes Certificate Expiry

Kubeadm-generated certificates expire after 1 year, except for CA certificates, which last 10 years.

To check expiration dates, run:

kubeadm certs check-expiration

🚨 If any certificates are close to expiring, renew them ASAP!

Keep reading with a 7-day free trial

Subscribe to Kubenatives Newsletter to keep reading this post and get 7 days of free access to the full post archives.

Already a paid subscriber? Sign in
© 2025 Sharon Sahadevan
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More