BestHub
Sign in
Cloud Native 6 min read

Extend Kubernetes Certificate Expiration to 10 Years with a Simple Script

This guide shows how to check the default 1‑year and 10‑year Kubernetes certificates using OpenSSL, then extend all relevant kubeadm‑issued certificates to a ten‑year lifespan by deploying and running the update‑kubeadm‑cert.sh script on each master node, and finally verify the new validity periods.

Full-Stack DevOps & Kubernetes
Full-Stack DevOps & Kubernetes
Full-Stack DevOps & Kubernetes
Extend Kubernetes Certificate Expiration to 10 Years with a Simple Script

Background

When a Kubernetes cluster is initialized with kubeadm, the default CA certificate is valid for 10 years, while the apiserver certificate is valid for only 1 year. After the apiserver certificate expires, API requests fail.

Check Current Certificate Expiration

Use OpenSSL to view the Not Before and Not After fields of the certificates:

openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text | grep Not
Not Before: Apr 22 04:09:07 2020 GMT
Not After : Apr 20 04:09:07 2030 GMT
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
Not Before: Apr 22 04:09:07 2020 GMT
Not After : Apr 22 04:09:07 2021 GMT

Extend Certificate Validity

1. Obtain the update-kubeadm-cert.sh script from the GitHub repository:

https://github.com/luckylucky421/kubernetes1.17.3

Copy the script to each master node (e.g., master1, master2, master3).

2. On each master node, make the script executable and run it to extend all certificates to ten years:

chmod +x update-kubeadm-cert.sh
./update-kubeadm-cert.sh all

3. Verify that control‑plane pods are running after renewal:

kubectl get pods -n kube-system
......
calico-node-b5ks5                  1/1     Running   0          157m
calico-node-r6bfr                  1/1     Running   0          155m
calico-node-r8qzv                  1/1     Running   0          7h1m
coredns-66bff467f8-5vk2q           1/1     Running   0          7h30m
......

Verify Extended Expiration

Re‑run the OpenSSL commands to confirm the new validity periods (now 10 years for all certificates):

openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -text | grep Not
Not Before: Apr 22 04:09:07 2020 GMT
Not After : Apr 20 04:09:07 2030 GMT
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
Not Before: Apr 22 11:15:53 2020 GMT
Not After : Apr 20 11:15:53 2030 GMT
openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text | grep Not
Not Before: Apr 22 11:32:24 2020 GMT
Not After : Apr 20 11:32:24 2030 GMT
openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text | grep Not
Not Before: Apr 22 04:09:08 2020 GMT
Not After : Apr 20 04:09:08 2030 GMT

All certificates now show a ten‑year expiration window, confirming successful renewal.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

cloud-nativeCertificatescriptkubeadm
Full-Stack DevOps & Kubernetes
Written by

Full-Stack DevOps & Kubernetes

Focused on sharing DevOps, Kubernetes, Linux, Docker, Istio, microservices, Spring Cloud, Python, Go, databases, Nginx, Tomcat, cloud computing, and related technologies.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment