Assumption, the first controller address is:
> controller-1.domain.tld
Connect to the first controller via ssh:
> ssh core@controller-1.domain.tld
Navigate to the certificates directory:
> cd /etc/kubernetes/pki/
Create backup directory:
> mkdir backup-\`date --utc '+%Y%m%d%H%M%S'\`
Copy current files to backup directory:
> cp \* backup-\*
Create ca-extensions.conf file:
> touch ca-extensions.conf
Write the certificate authority v3 extensions in the ca-extensions.conf file:
> [v3_ca] > keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign > basicConstraints = critical, CA:TRUE > subjectKeyIdentifier =
Get the subject key identifier from the current certificate:
> openssl x509 -text -in ca.crt | grep "X509v3 Subject Key Identifier:" -A1 | tail -n 1 | tr -d ' '
Append the subject key identifier to the ca-extensions.conf file. It should now look similar to this:
> [v3_ca] > keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign > basicConstraints = critical, CA:TRUE > subjectKeyIdentifier = 12:34:56:78:[...]
Generate a certificate authority certificate signing request from the old certificate authority certificate:
> openssl x509 -x509toreq -in ca.crt -signkey ca.key -out ca.csr
Generate a certificate authority certificate valid for 5 years using the generated certificate signing request, the previous certificate authority key and the certificate authority v3 extensions file:
> openssl x509 -req -days 1826 -in ca.csr -signkey ca.key -out new-ca.crt -extensions v3_ca -extfile ca-extensions.conf
Compare the old certificate with the new certificate, make sure only the Serial Number, Validity, Signature and CERTIFICATE sections differ:
> diff --side-by-side <(openssl x509 -text -in ca.crt) <(openssl x509 -text -in new-ca.crt)
Verify that the certificates signed with the old certificate authority certificate are valid with the new certificate authority certificate:
> openssl verify -CAfile new-ca.crt -verbose apiserver.crt