This command displays the expiration and remaining validity time for all certificates, including client certificates in the /etc/kubernetes/pki directory and client certificates embedded in KUBECONFIG files (admin.conf, controller-manager.conf, scheduler.conf). ### Manual Certificate Renewal The kubeadm certs renew command allows manual certificate renewal at any time. This command utilizes the CA (or front-proxy-CA) certificates and keys stored in /etc/kubernetes/pki to regenerate certificates. #### Backing Up Certificates **Important**: For high availability clusters, operations must be performed on all master nodes. ```
cp -r /etc/kubernetes /etc/kubernetes-backup

#### Renewing All Certificates After executing the command, note the following: - Certificates are unconditionally renewed for one year regardless of their current expiration status. - Certificate SAN information and other attributes are based on the original certificates—no additional information needs to be provided. - After renewal, components must be restarted for changes to take effect. Important: For high availability clusters, operations must be performed on all master nodes. ``` kubeadm certs renew all

\#### Verify Certificate Validity ```
[root@master01 ~]# kubeadm certs check-expiration

#### Retsarting Components for Changes to Take Effect ``` [root@master01 ~]# mv /etc/kubernetes/manifests/* /tmp/ // After approximately 30 seconds, the kube-apiserver, kube-controller-manager, kube-scheduler, and etcd containers will stop. Then move the manifest files back: [root@master01 ~]# mv /tmp/kube-* /etc/kubernetes/manifests/ [root@master01 ~]# mv /tmp/etcd.yaml /etc/kubernetes/manifests/

Verify that components have restarted successfully. #### Updating Kubeconfig Files ```
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chmod 600 $HOME/.kube/config