6.06 View TLS Certificate Details in Kubernetes

🎯 Scenario

You join a new team as a Kubernetes administrator.

You are told:

• There are certificate-related issues
• Some components are failing
• You must perform a full TLS health check

---

1️⃣ Identify Cluster Setup Method

Question

How was the cluster provisioned?

kubeadm ClusterManual SetupManaged Cloud (EKS/GKE/AKS)

• Certificates typically in /etc/kubernetes/pki/
• Control plane runs as static pods
• Configs in /etc/kubernetes/manifests/

• Certificates manually generated
• Paths defined in systemd service files

• Certificate lifecycle mostly abstracted

Note

Always determine provisioning method before troubleshooting.

---

2️⃣ Locate Certificate Files

Example (kubeadm):

cat /etc/kubernetes/manifests/kube-apiserver.yaml

Look for flags:

--client-ca-file=
--tls-cert-file=
--tls-private-key-file=
--etcd-certfile=
--etcd-keyfile=

Document:

• File path
• Purpose
• Issuer
• Expiry date
• SAN entries

---

3️⃣ View Certificate Details

Use OpenSSL:

openssl x509 -in apiserver.crt -text -noout

---

🔍 Sections to Inspect

Subject

Confirms component identity:

Subject: CN=kube-apiserver

---

Issuer

Issuer: CN=KUBERNETES-CA

Must match cluster CA.

Warning

Incorrect issuer indicates trust chain issue.

---

Validity

Not Before:
Not After :

Danger

Expired certificates cause control plane outages.

---

Subject Alternative Name (SAN)

X509v3 Subject Alternative Name:
DNS:kubernetes
DNS:kubernetes.default
IP Address:10.96.0.1

Failure

Missing SAN entries will break TLS validation.

---

4️⃣ Certificates to Audit

Component	Certificate
CA	ca.crt
API Server	apiserver.crt
ETCD	etcd-server.crt
Kubelet (per node)	node01.crt
Admin	admin.crt
Scheduler	scheduler.crt
Controller Manager	controller-manager.crt
Kube Proxy	kube-proxy.crt

---

5️⃣ Health Check Checklist

Success

• Not expired
• Correct CN
• Correct SAN entries
• Correct Issuer
• Proper permissions (600 for keys)

---

6️⃣ Troubleshooting Logs

If API Server is Running

kubectl logs kube-apiserver-<node> -n kube-system

If API Server is Down

Use container runtime:

DockerContainerd

docker ps -a
docker logs <container-id>

crictl ps -a
crictl logs <container-id>

---

7️⃣ Common Production Issues

Issue	Impact
Expired CA	Entire cluster down
Expired API cert	kubectl fails
Missing SAN	API unreachable
Wrong CN	RBAC denied
Incorrect issuer	Trust failure

---

8️⃣ Best Practices

✅ DO

Success

• Monitor certificate expiration
• Automate renewal (kubeadm cert renew)
• Backup CA securely
• Rotate certificates before expiry
• Audit regularly

---

❌ DON'T

Danger

• Do NOT ignore expiry warnings
• Do NOT commit private keys to Git
• Do NOT reuse admin certificates
• Do NOT modify certificates without restart plan

---

🔐 Quick Expiry Check

openssl x509 -in apiserver.crt -noout -dates

---

🎯 Summary

1. Identify cluster provisioning method
2. Locate certificate files
3. Decode using OpenSSL
4. Validate CN, SAN, Issuer, Expiry
5. Check logs if issues
6. Plan proactive renewal

Quote

Regular certificate audits prevent unexpected control plane outages.