How to refresh externally managed Kubernetes certificates

This guide walks you through refreshing external certificates for both control plane and worker nodes in your Canonical Kubernetes cluster.

Prerequisites

  • A running Canonical Kubernetes cluster

Note

To refresh certificates, your cluster must have been initially configured with external certificates during the bootstrap process. You can verify which certificates are externally managed by running k8s certs-status on a control plane node.

Assemble certificates data

To simplify the process and avoid complex CLI commands, the refresh-certs command accepts new node certificates via the --external-certificates argument with a YAML-formatted file. For a complete list of available certificate keys, see the certificates refresh configuration file reference page.

Refer to the Canonical Kubernetes cluster certificates and configuration directories documentation to determine which certificates are required for each node.

Note

If you are managing some of the Certificate Authorities (CAs) externally, provide only the certificates that require updates. Identify the externally managed CAs by running k8s certs-status on a control plane node.

Refresh Control Plane node certificates

Execute the following command to refresh certificates on each control plane node:

sudo k8s refresh-certs --external-certificates ./certificates.yaml

Note

If your node setup includes additional SANs, be sure to include the specific SANs for each node when requesting new certificates from your certificates authority. Check your provider’s documentation for instructions on requesting certificates with the required SANs.

The node will validate the certificates, update them automatically, and restart the necessary services. Upon successful completion, you will see:

External certificates have been successfully refreshed.

Verify the new expiration dates by running the k8s certs-status command:

CERTIFICATE               EXPIRES                 RESIDUAL TIME  CERTIFICATE AUTHORITY      EXTERNALLY MANAGED
apiserver                 Mar 21, 2026 01:06 UTC  364d           kubernetes-ca              yes
apiserver-kubelet-client  Mar 21, 2026 01:06 UTC  364d           kubernetes-ca-client       yes
front-proxy-client        Mar 21, 2026 01:06 UTC  364d           kubernetes-front-proxy-ca  yes
kubelet                   Mar 21, 2026 01:06 UTC  364d           kubernetes-ca              yes
admin.conf                Mar 21, 2026 01:06 UTC  364d           kubernetes-ca-client       yes
controller.conf           Mar 21, 2026 01:06 UTC  364d           kubernetes-ca-client       yes
kubelet.conf              Mar 21, 2026 01:06 UTC  364d           kubernetes-ca-client       yes
proxy.conf                Mar 21, 2026 01:06 UTC  364d           kubernetes-ca-client       yes
scheduler.conf            Mar 21, 2026 01:06 UTC  364d           kubernetes-ca-client       yes

CERTIFICATE AUTHORITY      EXPIRES                 RESIDUAL TIME  EXTERNALLY MANAGED
kubernetes-ca              Mar 19, 2035 01:06 UTC  9y             yes
kubernetes-ca-client       Mar 19, 2035 01:06 UTC  9y             yes
kubernetes-front-proxy-ca  Mar 19, 2035 01:06 UTC  9y             yes

Refresh Worker node certificates

To refresh the certificates on worker nodes, perform this step on each worker node in your cluster:

sudo k8s refresh-certs --external-certificates ./certificates.yaml

The node will automatically update certificates and restart necessary services. Upon successful completion, you will see:

External certificates have been successfully refreshed.