kubernetes
Kubernetes Certificate Expiry Calculator
Calculate when your Kubernetes certificates expire and whether you need to renew them. kubeadm certificates are valid for 1 year — missing renewal breaks the cluster.
Kubernetes PKI Certificate Management
Kubernetes uses a PKI (Public Key Infrastructure) to secure all internal communication. kubeadm generates these certificates at cluster creation with a 1-year validity period.
Certificates kubeadm Issues
| Certificate | Purpose | Validity |
|---|---|---|
| apiserver | API server TLS | 1 year |
| apiserver-kubelet-client | API server → kubelet auth | 1 year |
| apiserver-etcd-client | API server → etcd auth | 1 year |
| etcd-server | etcd peer + client TLS | 1 year |
| front-proxy-client | API aggregation layer | 1 year |
The CA Certificate
The root CA certificate is valid for 10 years (not 1 year). You cannot renew the CA with kubeadm certs renew — replacing it requires rotating all cluster certificates. This is a major operation. Plan for CA rotation every 8–9 years.
Automatic Renewal via Upgrade
kubeadm upgrade apply automatically renews certificates expiring within 6 months. This is the primary reason you should upgrade Kubernetes regularly — annual minor version upgrades keep certificates healthy.
Emergency Renewal
If certificates are already expired, the process is:
- 1.Restore a valid kubeconfig if kubectl is broken (copy from /etc/kubernetes/admin.conf)
- 2.Run
kubeadm certs renew all - 3.Restart control plane pods
- 4.Distribute new kubeconfig to users
Certificate Monitoring
Add a Prometheus alert on x509_cert_expiry metric (exposed by cert-manager or kube-state-metrics) to get alerts 30, 14, and 7 days before expiry.
Key Terms
Full glossary →kubeadm
A tool for bootstrapping Kubernetes clusters. It automates the setup of control plane components and joining worker nodes, following Kubernetes best practices.
etcd
A distributed key-value store used by Kubernetes to store all cluster state and configuration. etcd is the single source of truth for the entire cluster.
cert-manager
A Kubernetes controller for automating TLS certificate management. cert-manager can issue certificates from Let's Encrypt, Vault, or internal CAs, and automatically renews them.
Helm
A package manager for Kubernetes. Helm charts bundle Kubernetes manifests into reusable packages with configurable values, versioned and published to chart repositories.
Frequently Asked Questions
How do I check when my Kubernetes certificates expire?
Run `kubeadm certs check-expiration` on a control plane node. It shows expiry dates for all certificates including the API server cert, etcd certs, and the front-proxy cert.
What happens when Kubernetes certificates expire?
When the API server certificate expires, kubectl stops working entirely — the API server refuses connections. etcd certificate expiry is even more severe — the entire cluster becomes read-only then unavailable. Renew before 30 days remaining.
Does upgrading Kubernetes renew certificates automatically?
Yes — kubeadm upgrade apply automatically renews all certificates that expire within 6 months during the upgrade. This is why regular minor version upgrades are important for certificate hygiene.
How do I renew certificates without upgrading?
Run `kubeadm certs renew all` on each control plane node, then restart the static pods: `crictl pods | grep kube | awk '{print $1}' | xargs crictl stopp`. The API server, scheduler, and controller-manager will restart with new certs.
Related Tools
K8s Cluster Cost
Calculate the monthly cost of running a Kubernetes cluster on Hetzner Cloud. Choose server types for control planes, workers, and load balancers with HA mode.
K8s Upgrade Path
Plan your Kubernetes upgrade path from any version to any version. Kubernetes only allows upgrading one minor version at a time — calculate the number of hops and total time estimate.
Related Generators
Related Guides
kubernetes
CI/CD for Kubernetes with GitHub Actions: A Complete Guide (2026)
A practical walkthrough of building a full GitHub Actions pipeline that builds a container image, pushes it to a registry, and deploys to Kubernetes — with secrets handling, rollback, and Helm support.
kubernetes
ArgoCD vs Flux: Choosing a GitOps Tool for Kubernetes in 2026
A no-fluff comparison of ArgoCD and Flux for GitOps on Kubernetes — covering architecture, UI, Helm support, multi-tenancy, and when to pick each one.
kubernetes
Hetzner vs DigitalOcean for Kubernetes in 2026: An Honest Comparison
Hetzner is 3–5× cheaper than DigitalOcean for equivalent Kubernetes compute. But DO has managed K8s, better global coverage, and a larger app marketplace. Here's when each is the right choice.