kubernetes
Kubernetes Certificate Expiry Calculator
Calculate when your Kubernetes certificates expire and whether you need to renew them. kubeadm certificates are valid for 1 year — missing renewal breaks the cluster.
Kubernetes PKI Certificate Management
Kubernetes uses a PKI (Public Key Infrastructure) to secure all internal communication. kubeadm generates these certificates at cluster creation with a 1-year validity period.
Certificates kubeadm Issues
| Certificate | Purpose | Validity |
|---|---|---|
| apiserver | API server TLS | 1 year |
| apiserver-kubelet-client | API server → kubelet auth | 1 year |
| apiserver-etcd-client | API server → etcd auth | 1 year |
| etcd-server | etcd peer + client TLS | 1 year |
| front-proxy-client | API aggregation layer | 1 year |
The CA Certificate
The root CA certificate is valid for 10 years (not 1 year). You cannot renew the CA with kubeadm certs renew — replacing it requires rotating all cluster certificates. This is a major operation. Plan for CA rotation every 8–9 years.
Automatic Renewal via Upgrade
kubeadm upgrade apply automatically renews certificates expiring within 6 months. This is the primary reason you should upgrade Kubernetes regularly — annual minor version upgrades keep certificates healthy.
Emergency Renewal
If certificates are already expired, the process is:
- 1.Restore a valid kubeconfig if kubectl is broken (copy from /etc/kubernetes/admin.conf)
- 2.Run
kubeadm certs renew all - 3.Restart control plane pods
- 4.Distribute new kubeconfig to users
Certificate Monitoring
Add a Prometheus alert on x509_cert_expiry metric (exposed by cert-manager or kube-state-metrics) to get alerts 30, 14, and 7 days before expiry.
Frequently Asked Questions
How do I check when my Kubernetes certificates expire?
Run `kubeadm certs check-expiration` on a control plane node. It shows expiry dates for all certificates including the API server cert, etcd certs, and the front-proxy cert.
What happens when Kubernetes certificates expire?
When the API server certificate expires, kubectl stops working entirely — the API server refuses connections. etcd certificate expiry is even more severe — the entire cluster becomes read-only then unavailable. Renew before 30 days remaining.
Does upgrading Kubernetes renew certificates automatically?
Yes — kubeadm upgrade apply automatically renews all certificates that expire within 6 months during the upgrade. This is why regular minor version upgrades are important for certificate hygiene.
How do I renew certificates without upgrading?
Run `kubeadm certs renew all` on each control plane node, then restart the static pods: `crictl pods | grep kube | awk '{print $1}' | xargs crictl stopp`. The API server, scheduler, and controller-manager will restart with new certs.
Related Tools
Related Guides
kubernetes
Hetzner vs DigitalOcean for Kubernetes in 2025: An Honest Comparison
Hetzner is 3–5× cheaper than DigitalOcean for equivalent Kubernetes compute. But DO has managed K8s, better global coverage, and a larger app marketplace. Here's when each is the right choice.
kubernetes
Kubernetes Certificate Renewal: What Breaks and How to Fix It
kubeadm certificates expire after 1 year. Here's what actually breaks, how to check expiry, and the exact commands to renew before your cluster goes read-only.
kubernetes
Self-Hosted Kubernetes on Hetzner Cloud: Complete Setup Guide (2025)
A practical guide to running a production-grade HA Kubernetes cluster on Hetzner Cloud using kubeadm, HAProxy, Keepalived, and Longhorn — at a fraction of managed K8s cost.