How to refresh externally managed Kubernetes certificates¶
This guide walks you through refreshing external certificates for both control plane and worker nodes in your Canonical Kubernetes cluster.
Prerequisites¶
A running Canonical Kubernetes cluster
Note
To refresh certificates, your cluster must have been initially
configured with external certificates during the bootstrap process. You can
verify which certificates are externally managed by running k8s certs-status
on a control plane node.
Assemble certificates data¶
To simplify the process and avoid complex CLI commands, the refresh-certs
command accepts new node certificates via the --external-certificates
argument with a YAML-formatted file. For a complete list of available
certificate keys, see the
certificates refresh configuration file reference page.
Refer to the Canonical Kubernetes cluster certificates and configuration directories documentation to determine which certificates are required for each node.
Note
If you are managing some of the Certificate Authorities (CAs)
externally, provide only the certificates that require updates. Identify the
externally managed CAs by running k8s certs-status
on a control plane node.
Refresh Control Plane node certificates¶
Execute the following command to refresh certificates on each control plane node:
sudo k8s refresh-certs --external-certificates ./certificates.yaml
Note
If your node setup includes additional SANs, be sure to include the specific SANs for each node when requesting new certificates from your certificates authority. Check your provider’s documentation for instructions on requesting certificates with the required SANs.
The node will validate the certificates, update them automatically, and restart the necessary services. Upon successful completion, you will see:
External certificates have been successfully refreshed.
Verify the new expiration dates by running the k8s certs-status
command:
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
apiserver Mar 21, 2026 01:06 UTC 364d kubernetes-ca yes
apiserver-kubelet-client Mar 21, 2026 01:06 UTC 364d kubernetes-ca-client yes
front-proxy-client Mar 21, 2026 01:06 UTC 364d kubernetes-front-proxy-ca yes
kubelet Mar 21, 2026 01:06 UTC 364d kubernetes-ca yes
admin.conf Mar 21, 2026 01:06 UTC 364d kubernetes-ca-client yes
controller.conf Mar 21, 2026 01:06 UTC 364d kubernetes-ca-client yes
kubelet.conf Mar 21, 2026 01:06 UTC 364d kubernetes-ca-client yes
proxy.conf Mar 21, 2026 01:06 UTC 364d kubernetes-ca-client yes
scheduler.conf Mar 21, 2026 01:06 UTC 364d kubernetes-ca-client yes
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
kubernetes-ca Mar 19, 2035 01:06 UTC 9y yes
kubernetes-ca-client Mar 19, 2035 01:06 UTC 9y yes
kubernetes-front-proxy-ca Mar 19, 2035 01:06 UTC 9y yes
Refresh Worker node certificates¶
To refresh the certificates on worker nodes, perform this step on each worker node in your cluster:
sudo k8s refresh-certs --external-certificates ./certificates.yaml
The node will automatically update certificates and restart necessary services. Upon successful completion, you will see:
External certificates have been successfully refreshed.