BestHub
Sign in
Operations 4 min read

How to Detect and Renew Expired Kubernetes API Server Certificates

This guide explains how to view Kubernetes certificates, check their expiration dates with kubeadm, renew them when needed, restart kubelet services, verify the renewal, and automate the whole process with a Bash script.

Efficient Ops
Efficient Ops
Efficient Ops
How to Detect and Renew Expired Kubernetes API Server Certificates

1. View the certificate

Use OpenSSL to display the certificate content and locate the Not After field.

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
Certificate details
Certificate details

2. Check expiration

Run the kubeadm built‑in command on a master node to list certificates and their remaining validity. kubeadm certs check-expiration The output shows each certificate, its expiration date and residual time, e.g.

CERTIFICATE          EXPIRES               RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf           Aug 05, 2025 12:11 UTC   91d           ca                     no
apiserver            Aug 05, 2025 12:11 UTC   91d           ca                     no
apiserver-etcd-client Aug 05, 2025 12:11 UTC   91d           etcd-ca                no
apiserver-kubelet-client Aug 05, 2025 12:11 UTC   91d           ca                     no

Alternatively, manually inspect a single certificate:

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -dates

3. Renew certificates

If a certificate is close to expiry, renew all certificates with kubeadm: kubeadm certs renew all After renewal, restart the kubelet on every node so the new certificates take effect.

sudo systemctl daemon-reload
sudo systemctl restart kubelet

4. Verify renewal

Run kubeadm certs check-expiration again to confirm the dates have been updated.

5. Automate with a script

The whole process can be wrapped in a Bash script and executed as a systemd service.

#!/bin/bash
echo "## Check expiration ##"
kubeadm certs check-expiration
echo "## Renew certificates ##"
kubeadm certs renew all
echo "## Restart control‑plane pods ##"
crictl pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | xargs crictl rmp -f
echo "## Update kubeconfig ##"
cp /etc/kubernetes/admin.conf /root/.kube/config
echo "## Wait for apiserver to restart ##"
until printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/6443; do sleep 1; done
echo "## Verify after renewal ##"
kubeadm certs check-expiration
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

AutomationKubernetesOpsshell scriptcertificateskubeadm
Efficient Ops
Written by

Efficient Ops

This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment