Kubernetes Certificate Management: Common Pitfalls, Detection Methods, and Renewal Procedures

In Kubernetes (K8s) operations, certificate management is frequently overlooked; many teams configure certificates during cluster setup and then forget about them until a sudden outage reveals that a certificate has expired.

Expired certificates can cause the API server to reject connections, nodes to become unreachable, pod scheduling failures, and even complete cluster collapse.

1. Which certificates are likely to become "time bombs"?

Kubernetes relies on several certificates for secure communication:

CA certificate (root) Used to sign all other certificates; if it expires, every dependent certificate fails. Default validity is usually 10 years, but many teams forget to renew it.

API Server certificate The core certificate for control‑plane communication; expiration prevents kubectl from accessing the cluster.

etcd certificate If the etcd certificate expires, K8s cannot read or write data, potentially crashing the entire cluster.

kubelet client certificate Each node’s kubelet uses this certificate to talk to the API server; expiration causes node loss of contact.

Service Account Token Not a traditional certificate but has a default one‑year expiration and affects pod authentication with the API server.

2. Typical failure symptoms of expired certificates

Failure Symptom

Potentially Expired Certificate

kubectl get nodes

timeout

API Server certificate or kubeconfig

Node status becomes

NotReady

kubelet client certificate

Pod scheduling fails with x509 error

Service Account Token

etcd cluster unavailable

etcd certificate

3. How to detect certificates that are about to expire?

Method 1: Use kubeadm (for clusters installed with kubeadm)

kubeadm certs check-expiration

Sample output:

CERTIFICATE               EXPIRES               RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                Aug 05, 2025 12:11 UTC   91d          ca                     no
apiserver                 Aug 05, 2025 12:11 UTC   91d          ca                     no
apiserver-etcd-client     Aug 05, 2025 12:11 UTC   91d          etcd-ca                no
apiserver-kubelet-client  Aug 05, 2025 12:11 UTC   91d          ca                     no

Method 2: Manually check a single certificate

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -dates

Output example:

notBefore=May 15 08:00:00 2023 GMT
notAfter=May 12 08:23:00 2024 GMT  # expiration time

Method 3: Use Prometheus monitoring (long‑term solution)

Deploy kube-cert-exporter or a custom script and integrate with Alertmanager to generate early warnings.

4. Certificate renewal procedures

Automatically renew all certificates with kubeadm: kubeadm certs renew all

Restart control‑plane components (API server, controller‑manager, scheduler, etcd): docker ps | grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd' | awk -F ' ' '{print $1}' | xargs docker restart

Restart the kubelet service: systemctl restart kubelet

Verify container status, kubelet service status, and logs for any errors.

Note: If you have multiple master nodes, repeat the above steps on each master.