If you’re running a Kubernetes cluster with kubeadm, you might think certificates are just a "set-and-forget" feature—but they’re crucial to securing your cluster.

In this issue, we’ll cover everything about Kubernetes certificates, including:

• How Kubernetes uses certificates

• Where certificates are stored

• Certificate expiration and renewal

• CA certificate management

• Automating certificate rotation

• Handling internal CAs in secure enterprise environments

• How update-ca-trust works in Linux

By the end, you'll have a solid understanding of Kubernetes certificate management and the tools to ensure your cluster remains secure and operational.

Let’s dive in!

How Kubernetes Uses Certificates

Kubernetes uses TLS certificates for secure communication between:

The API server and kubelet
The API server and etcd
The API server and the controller manager, scheduler, and other control plane components
Users (kubectl) accessing the API server
External services interacting with Kubernetes

Each component authenticates with certificates to ensure that no unauthorized services can communicate with the cluster.

Where Kubernetes Stores Certificates

When you create a cluster using kubeadm, it automatically generates certificates and stores them in:

📁 /etc/kubernetes/pki/

Here’s a breakdown of key files:

Each of these certificates plays a role in securing different parts of the Kubernetes cluster.

Checking Kubernetes Certificate Expiry

Kubeadm-generated certificates expire after 1 year, except for CA certificates, which last 10 years.

To check expiration dates, run:

kubeadm certs check-expiration

If any certificates are close to expiring, renew them ASAP!

Renewing Kubernetes Certificates

To manually renew all Kubernetes certificates, run:

kubeadm certs renew all

Or renew specific ones:

kubeadm certs renew apiserver
kubeadm certs renew etcd-server

After renewal, restart control plane components for changes to take effect:

systemctl restart kubelet

Renewing Kubernetes CA Certificates (Careful!)

The CA certificate lasts 10 years but must be renewed manually when it expires.

If the CA certificate expires, all kubeadm-managed certificates will become invalid, and your cluster will stop working!

To renew the CA certificate:

kubeadm certs renew ca
kubeadm certs renew all
systemctl restart kubelet

Handling Custom CAs in Secure Enterprise Environments

Many enterprises use internally issued certificates instead of public Certificate Authorities (CAs). If your Kubernetes cluster needs to trust an internal CA, follow these steps:

Add the Internal CA Certificate to the System Trust Store

On RHEL/CentOS:

cp company-root-ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

On Debian/Ubuntu:

cp company-root-ca.crt /usr/local/share/ca-certificates/
update-ca-certificates

This updates the system-wide trusted CA store, allowing all system processes (including Kubernetes) to trust your internal CA.

Verify Internal CA Trust

After updating, check if the internal CA is recognized:

openssl s_client -connect your-internal-service:443 -CApath /etc/ssl/certs/

If no certificate errors appear, the internal CA is properly configured.

Automating Kubernetes Certificate Renewal

Instead of renewing certificates manually, set up automatic renewal using a cron job:

0 0 1 */6 * root kubeadm certs renew all && systemctl restart kubelet

This runs every 6 months, ensuring certificates are always up-to-date.

Best Practices for Kubernetes Certificate Management

Monitor Expiration Dates: Use Prometheus, Grafana, or an alerting system.
Automate Renewal: Use a cron job or an automation tool.
Backup Certificates: Before renewing, backup /etc/kubernetes/pki/.
Rotate CA Certificates Carefully: Plan CA rotation well in advance.
Use External Certificate Management: Consider cert-manager for automation.

Using Cert-Manager for Automatic TLS Certificates

For fully automated certificate management, use cert-manager. It:

Automatically renews TLS certificates
Supports Let's Encrypt, Vault, and self-signed certificates
Provides Kubernetes-native Issuer and Certificate resources

Install cert-manager with Helm:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true

Now, Kubernetes will auto-renew certificates without manual intervention.

Final Thoughts

Kubernetes certificate management isn’t optional—it’s critical!
Without proper renewal, expired certificates can bring your cluster down.

What You Should Do Today:
Run kubeadm certs check-expiration to check your cluster’s certificates
Set up automatic renewal with kubeadm certs renew all
If using internal CA certificates, make sure they are properly added to the trust store
Consider cert-manager for long-term automation

That’s all for this edition of Kubenatives. If you found this useful, share it with your team!