How to Fix Expired Kubernetes Certificates with kubeadm

Check Certificate Expiration

Run the following command on the control‑plane node to list the current expiration dates of all cluster certificates:

[check-expiration] Reading configuration from the cluster...</code>
<code>[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'</code>
<code>CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED</code>
<code>admin.conf                 Jan 04, 2024 13:49 UTC   363d            ca                      no</code>
<code>apiserver                  Jan 04, 2024 13:48 UTC   363d            ca                      no</code>
<code>... (other certificates omitted for brevity) ...</code>
<code>ca                         Jan 01, 2033 13:48 UTC   9y              no

The output shows each certificate’s expiration date and how many days remain.

Renew All Certificates

Use kubeadm certs renew all to regenerate every certificate in the cluster:

# kubeadm certs renew all</code>
<code>[renew] Reading configuration from the cluster...</code>
<code>[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'</code>
<code>certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed</code>
<code>certificate for serving the Kubernetes API renewed</code>
<code>certificate the apiserver uses to access etcd renewed</code>
<code>certificate for the API server to connect to kubelet renewed</code>
<code>certificate embedded in the kubeconfig file for the controller manager to use renewed</code>
<code>certificate for liveness probes to healthcheck etcd renewed</code>
<code>certificate for etcd nodes to communicate with each other renewed</code>
<code>certificate for serving etcd renewed</code>
<code>certificate for the front proxy client renewed</code>
<code>certificate embedded in the kubeconfig file for the scheduler manager to use renewed</code>
<code>Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

After renewal, restart the control‑plane components (kube‑apiserver, kube‑controller‑manager, kube‑scheduler) and etcd to load the new certificates.

Verify Renewal

Run the expiration check again to confirm the dates have been updated:

[check-expiration] Reading configuration from the cluster...</code>
<code>CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED</code>
<code>admin.conf                 Jan 06, 2024 14:16 UTC   364d            ca                      no</code>
<code>apiserver                  Jan 06, 2024 14:16 UTC   364d            ca                      no</code>
<code>... (other certificates omitted) ...</code>
<code>ca                         Jan 01, 2033 13:48 UTC   9y              no

The service certificates now show roughly 364 days remaining, indicating they were just renewed, while the CA certificate still has about nine years left, confirming the cluster has been running for about a year.

This procedure resolves the “certificate has expired or is not yet valid” error and ensures the Kubernetes control plane continues to operate securely.