This is the multi-page printable view of this section. Click here to print.
Certificate management
- 1: Monitoring Certificate Expiration
- 2: Renew certificates using eksctl anywhere
- 3: Script to renew cluster certificates
- 4: Manual steps to renew certificates
1 - Monitoring Certificate Expiration
There are a few ways to check certificate expiration dates depending on your cluster’s accessibility.
Using ClusterCertificateInfo (When cluster is accessible)
When your cluster is accessible via kubectl, use the ClusterCertificateInfo field in the cluster status:
kubectl get cluster <cluster-name> -o json | jq '.status.clusterCertificateInfo'
This will output a list of objects containing the machine name and the number of days until the certificate expires:
[
  {
    "machine": "my-cluster-control-plane-abc123",
    "expiresInDays": 300
  },
  {
    "machine": "my-cluster-control-plane-def456",
    "expiresInDays": 300
  },
  {
    "machine": "my-cluster-etcd-ghi789",
    "expiresInDays": 300
  }
]
The ClusterCertificateInfo field contains a list of machine objects with the following properties:
- machine: The name of the machine (control plane or external etcd)
- expiresInDays: The number of days until the certificate expires
This information is updated periodically as part of the cluster status reconciliation process. The certificate expiration check is performed by connecting to each machine’s API server (port 6443 for control plane) or etcd server (port 2379 for external etcd) and retrieving the certificate expiration date.
Using OpenSSL for Direct Certificate Inspection (When cluster is not accessible)
When the cluster is not accessbile, you can directly check certificates using opessl:
# The expiry time of api-server certificate on control plane node
echo | openssl s_client -connect ${CONTROL_PLANE_IP}:6443 2>/dev/null | openssl x509 -noout -dates
# The expiry time of certificate used by your external etcd server, if you configured one
echo | openssl s_client -connect ${EXTERNAL_ETCD_IP}:2379 2>/dev/null | openssl x509 -noout -dates
Monitoring Best Practices
- Regular Checks: Periodically check certificate expiration to ensure you have enough time to plan for certificate renewal.
- Set Up Alerts: Consider setting up alerts to notify you when certificates are approaching expiration (e.g., 30 days before expiration).
- Proactive Renewal: If certificates are approaching expiration (less than 30 days), plan for certificate renewal using one of the methods described below.
Certificate Renewal
EKS Anywhere automatically rotates certificates when new machines are rolled out during cluster lifecycle operations such as upgrade (ie. EKS Anywhere version upgrades or Kubernetes version upgrades where nodes actually roll out). If you upgrade your cluster at least once a year, as recommended, manual rotation of cluster certificates will not be necessary.
If you need to manually renew certificates, you can use one of the following methods:
- Renew certificates using eksctl anywhere - Recommended approach using the eksctl anywhere CLI
- Script to renew certificates - Automated approach using a script
- Manual steps to renew certificates - Step-by-step manual process
2 - Renew certificates using eksctl anywhere
Overview
EKS Anywhere provides a simple and recommended way to renew cluster certificates using the eksctl anywhere renew certificates command. This is the recommended approach for certificate renewal.
Get more information on EKS Anywhere cluster certificates from Monitoring Certificate Expiration
Note
This feature is officially available starting with EKS Anywherev0.23.1.
However, it can also be used with clusters running older EKS Anywhere versions. To do so, you can download the new EKS Anywhere CLI at version v0.23.1 (or later) and use it to renew your existing cluster’s certificates.
Prerequisites
- Admin machine with:
- eksctl anywhereCLI installed
- SSH access to all control plane and etcd nodes
 
Configuration File
Create a YAML configuration file that specifies the cluster details and SSH access information. Example configuration file:
clusterName: my-cluster
os: ubuntu  # Options: ubuntu, rhel, bottlerocket
controlPlane: 
  nodes: 
  - 192.168.1.10
  - 192.168.1.11
  - 192.168.1.12
  ssh:
    sshKey: /path/to/private/key
    sshUser: ssh-user
etcd: 
  nodes: 
  - 192.168.1.20
  - 192.168.1.21
  - 192.168.1.22
  ssh:
    sshKey: /path/to/private/key
    sshUser: ssh-user
Configuration Fields
clusterName (required)
Name of the EKS Anywhere cluster.
os (required)
Operating system of the nodes. Permitted values: ubuntu, rhel, bottlerocket.
controlPlane.nodes (optional)
List of control plane node IPs. Node IPs can be omitted if the cluster is accessible.
controlPlane.ssh.sshKey (required)
Path to SSH private key for control plane nodes.
controlPlane.ssh.sshUser (required)
SSH user for control plane nodes.
etcd (optional)
Required only if the cluster uses external etcd nodes.
etcd.nodes (optional)
List of external etcd node IPs. Node IPs can be omitted if the cluster is accessible.
etcd.ssh.sshKey (required if using external etcd)
Path to SSH private key for etcd nodes. Required only if the cluster uses external etcd nodes.
etcd.ssh.sshUser (required if using external etcd)
SSH user for etcd nodes. Required only if the cluster uses external etcd nodes.
Using Password-Protected SSH Keys
If your SSH keys are password protected, you can use environment variables to provide the passphrases instead of including them in the configuration file:
- EKSA_SSH_KEY_PASSPHRASE_CP: Passphrase for the control plane SSH key
- EKSA_SSH_KEY_PASSPHRASE_ETCD: Passphrase for the etcd SSH key
When using these environment variables, you can leave the sshKey field empty in your configuration file.
Steps to Renew Certificates
- 
Create the configuration file as described above (e.g., cert-renewal-config.yaml).
- 
Run the certificate renewal command: 
eksctl anywhere renew certificates -f cert-renewal-config.yaml
You can set the log level verbosity using the -v or --verbosity flag:
eksctl anywhere renew certificates -f cert-renewal-config.yaml -v 9
You can also specify which component’s certificates to renew using the --component flag:
# Renew only control plane certificates
eksctl anywhere renew certificates -f cert-renewal-config.yaml --component control-plane
# Renew only etcd certificates
eksctl anywhere renew certificates -f cert-renewal-config.yaml --component etcd
This is useful when you want to renew certificates for only specific components rather than all components at once.
Renew certificates for a cluster with accessible nodes
For clusters that are accessible via kubectl, follow these steps:
- 
Set the KUBECONFIG environment variable: export KUBECONFIG=mgmt/mgmt-eks-a-cluster.kubeconfig
- 
Create a simplified configuration file without node IPs: clusterName: my-cluster os: ubuntu controlPlane: ssh: sshKey: /path/to/private/key sshUser: ssh-user etcd: ssh: sshKey: /path/to/private/key sshUser: ssh-user
- 
Run the certificate renewal command: eksctl anywhere renew certificates -f cert-renewal-config.yaml
What the command does
The eksctl anywhere renew certificates command automates the certificate renewal process by:
- Connecting to each node via SSH
- Backing up existing certificates
- For external etcd nodes:
- Regenerating etcd certificates
- Verifying etcd health
 
- For control plane nodes:
- Renewing all kubeadm certificates
- Restarting static pods
- Updating external etcd key cert (if present)
- Verifying API server health
 
- Verifying overall cluster health
3 - Script to renew cluster certificates
Note
While this script-based approach is supported, the recommended method
for certificate renewal is using the eksctl anywhere renew certificates command.
Get more information on EKS Anywhere cluster certificates from Monitoring Certificate Expiration
This script automates:
- Certificate renewal for etcd and control plane nodes
- Cleanup of temporary files if certificates are renewed and cluster is healthy
Prerequisites
- Admin machine with:
- kubectl,- yq,- jq,- scp,- ssh, and- sudoinstalled
 
- SSH access to all control plane and etcd nodes
Steps
- Setup environment variable:
export KUBECONFIG=<path-to-management-cluster-kubeconfig>
- Prepare a keys-config.yamlfile
Add node and private key information of your control plane and/or external etcd to a file, such as keys-config.yaml:
clusterName: <cluster-name>
controlPlane:
  nodes:
  - <control-plane-1-ip>
  - <control-plane-2-ip>
  - <control-plane-3-ip>
  sshKey: <complete-path-to-private-ssh-key>
  sshUser: <ssh-user>
etcd:
  nodes:
  - <external-etcd-1-ip>
  - <external-etcd-2-ip>
  - <external-etcd-3-ip>
  sshKey: <complete-path-to-private-ssh-key>
  sshUser: <ssh-user>
- Download the Script
```bash
curl -O https://raw.githubusercontent.com/aws/eks-anywhere/refs/heads/main/scripts/renew_certificates.sh
chmod +x renew_certificates.sh
``````bash
curl -O https://raw.githubusercontent.com/aws/eks-anywhere/refs/heads/main/scripts/renew_certificates_bottlerocket.sh
chmod +x renew_certificates_bottlerocket.sh
```- Run the Script as a sudouser
sudo ./renew_certificates.sh -f keys-config.yaml
What the Script Does
- Backs up:
- All etcd certificates (in case of external etcd)
- Control plane certificates
 
- Renews external etcd certificates
- Updates the Kubernetes secret apiserver-etcd-clientif api server is reachable
- Renews all kubeadm certificates
- Restarts static control plane pods
- Cleans up temporary certs and backup folders (only if certificates are renewed successfully and cluster is healthy)
4 - Manual steps to renew certificates
Note
While these manual steps renew the certificates, the recommended method
for certificate renewal is using the eksctl anywhere renew certificates command.
Certificates for external etcd and control plane nodes expire after 1 year in EKS Anywhere. This page shows the process for manually rotating certificates.
Get more information on EKS Anywhere cluster certificates from Monitoring Certificate Expiration
The following table lists the cluster certificate files:
| etcd node | control plane node | 
|---|---|
| apiserver-etcd-client | apiserver-etcd-client | 
| ca | ca | 
| etcdctl-etcd-client | front-proxy-ca | 
| peer | sa | 
| server | etcd/ca.crt | 
| apiserver-kubelet-client | |
| apiserver | |
| front-proxy-client | 
NOTE: You can rotate certificates by following the steps given below. You cannot rotate the
cacertificate because it is the root certificate. Note that the commands used for Bottlerocket nodes are different than those for Ubuntu and RHEL nodes.
External etcd nodes
If your cluster is using external etcd nodes, you need to renew the etcd node certificates first.
Note
You can check for external etcd nodes by running the following command:
kubectl get etcdadmcluster -A
- SSH into each etcd node and run the following commands. Etcd automatically detects the new certificates and deprecates its old certificates.
# backup certs
cd /etc/etcd
sudo cp -r pki pki.bak
sudo rm pki/*
sudo cp pki.bak/ca.* pki
# run certificates join phase to regenerate the deleted certificates
sudo etcdadm join phase certificates http://eks-a-etcd-dumb-url# you would be in the admin container when you ssh to the Bottlerocket machine
# open a root shell
sudo sheltie
# pull the image
IMAGE_ID=$(apiclient get | apiclient exec admin jq -r '.settings["host-containers"]["kubeadm-bootstrap"].source')
ctr image pull ${IMAGE_ID}
# backup certs
cd /var/lib/etcd
cp -r pki pki.bak
rm pki/*
cp pki.bak/ca.* pki
# recreate certificates
ctr run \
--mount type=bind,src=/var/lib/etcd/pki,dst=/etc/etcd/pki,options=rbind:rw \
--net-host \
--rm \
${IMAGE_ID} tmp-cert-renew \
/opt/bin/etcdadm join phase certificates http://eks-a-etcd-dumb-url --init-system kubelet- Verify your etcd node is running correctly
sudo etcdctl --cacert=/etc/etcd/pki/ca.crt --cert=/etc/etcd/pki/etcdctl-etcd-client.crt --key=/etc/etcd/pki/etcdctl-etcd-client.key member listETCD_CONTAINER_ID=$(ctr -n k8s.io c ls | grep -w "etcd-io" | cut -d " " -f1 | tail -1)
ctr -n k8s.io t exec -t --exec-id etcd ${ETCD_CONTAINER_ID} etcdctl \
     --cacert=/var/lib/etcd/pki/ca.crt \
     --cert=/var/lib/etcd/pki/server.crt \
     --key=/var/lib/etcd/pki/server.key \
     member list- If the above command fails due to multiple etcd containers existing, then navigate to /var/log/containers/etcdand confirm which container was running during the issue timeframe (this container would be the ‘stale’ container). Delete this older etcd once you have renewed the certs and the new etcd container will be able to enter a functioning state. If you don’t do this, the two etcd containers will stay indefinitely and the etcd will not recover.
- 
Repeat the above steps for all etcd nodes. 
- 
Save the apiserver-etcd-clientcrtandkeyfile from one of the etcd nodes. They need to be updated in the following secret in management cluster. You will also need them when renewing the certificates on control plane nodes.
kubectl create secret generic ${cluster-name}-apiserver-etcd-client   --from-file=tls.crt=./apiserver-etcd-client.crt   --from-file=tls.key=./apiserver-etcd-client.key   --type=cluster.x-k8s.io/secret   -n eksa-system --dry-run=client -o yaml | kubectl apply -f -
Note
On Bottlerocket control plane nodes, thecertificate filename of apiserver-etcd-client is server-etcd-client.crt instead of apiserver-etcd-client.crt.
Control plane nodes
When there are no external etcd nodes, you only need to rotate the certificates for control plane nodes, as etcd certificates are managed by kubeadm when there are no external etcd nodes.
- SSH into each control plane node and run the following commands.
sudo kubeadm certs renew all# you would be in the admin container when you ssh to the Bottlerocket machine
# open root shell
sudo sheltie
# pull the image
IMAGE_ID=$(apiclient get | apiclient exec admin jq -r '.settings["host-containers"]["kubeadm-bootstrap"].source')
ctr image pull ${IMAGE_ID}
# renew certs
# you may see missing etcd certs error, which is expected if you have external etcd nodes
ctr run \
--mount type=bind,src=/var/lib/kubeadm,dst=/var/lib/kubeadm,options=rbind:rw \
--mount type=bind,src=/var/lib/kubeadm,dst=/etc/kubernetes,options=rbind:rw \
--rm \
${IMAGE_ID} tmp-cert-renew \
/opt/bin/kubeadm certs renew all- Verify the certificates have been rotated.
sudo kubeadm certs check-expiration# you may see missing etcd certs error, which is expected if you have external etcd nodes
ctr run \
--mount type=bind,src=/var/lib/kubeadm,dst=/var/lib/kubeadm,options=rbind:rw \
--mount type=bind,src=/var/lib/kubeadm,dst=/etc/kubernetes,options=rbind:rw \
--rm \
${IMAGE_ID} tmp-cert-renew \
/opt/bin/kubeadm certs check-expiration- 
If you have external etcd nodes, manually replace the server-etcd-client.crtandapiserver-etcd-client.keyfiles in the/etc/kubernetes/pki(or/var/lib/kubeadm/pkiin Bottlerocket) folder with the files you saved from any etcd node.- For Bottlerocket:
 cp apiserver-etcd-client.key /tmp/ cp server-etcd-client.crt /tmp/ sudo sheltie cp /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/apiserver-etcd-client.key /var/lib/kubeadm/pki/ cp /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/server-etcd-client.crt /var/lib/kubeadm/pki/
- 
Restart static control plane pods. - 
For Ubuntu and RHEL: temporarily move all manifest files from /etc/kubernetes/manifests/and wait for 20 seconds, then move the manifests back to this file location.
- 
For Bottlerocket: re-enable the static pods: 
 apiclient get | apiclient exec admin jq -r '.settings.kubernetes["static-pods"] | keys[]' | xargs -n 1 -I {} apiclient set settings.kubernetes.static-pods.{}.enabled=false apiclient get | apiclient exec admin jq -r '.settings.kubernetes["static-pods"] | keys[]' | xargs -n 1 -I {} apiclient set settings.kubernetes.static-pods.{}.enabled=trueYou can verify Pods restarting by running kubectlfrom your Admin machine.
- 
- 
Repeat the above steps for all control plane nodes. 
You can similarly use the above steps to rotate a single certificate instead of all certificates.
Kubelet
If kubeadm certs check-expiration is happy, but kubectl commands against the cluster fail with x509: certificate has expired or is not yet valid, then it’s likely that the kubelet certs did not rotate. To rotate them, SSH back into one of the control plane nodes and do the following.
# backup certs
cd /var/lib/kubelet
cp -r pki pki.bak
rm pki/*
systemctl restart kubelet
Note
When the control plane endpoint is unavailable because the API server pod is not running, the kubelet service may fail to start all static pods in the container runtime. Its logs may contain failed to connect to apiserver.
If this occurs, update kubelet-client-current.pem by running the following commands:
cat /etc/kubernetes/admin.conf | grep client-certificate-data: | sed 's/^.*: //' | base64 -d > /var/lib/kubelet/pki/kubelet-client-current.pem
cat /etc/kubernetes/admin.conf | grep client-key-data: | sed 's/^.*: //' | base64 -d >> /var/lib/kubelet/pki/kubelet-client-current.pem
systemctl restart kubelet
cat /var/lib/kubeadm/admin.conf | grep client-certificate-data: | apiclient exec admin sed 's/^.*: //' | base64 -d > /var/lib/kubelet/pki/kubelet-client-current.pem
cat /var/lib/kubeadm/admin.conf | grep client-key-data: | apiclient exec admin sed 's/^.*: //' | base64 -d >> /var/lib/kubelet/pki/kubelet-client-current.pem
systemctl restart kubelet
Worker nodes
If worker nodes are in Not Ready state and the kubelet fails to bootstrap then it’s likely that the kubelet client-cert kubelet-client-current.pem did not automatically rotate. If this rotation process fails you might see errors such as x509: certificate has expired or is not yet valid in kube-apiserver logs. To fix the issue, do the following:
- 
Backup and delete /etc/kubernetes/kubelet.conf(ignore this file for BottleRocket) and/var/lib/kubelet/pki/kubelet-client*from the failed node.
- 
From a working control plane node in the cluster that has /etc/kubernetes/pki/ca.key execute kubeadm kubeconfig user --org system:nodes --client-name system:node:$NODE > kubelet.conf.$NODEmust be set to the name of the existing failed node in the cluster. Modify the resulted kubelet.conf manually to adjust the cluster name and server endpoint, or passkubeconfig user --config(modifyingkubelet.conffile can be ignored for BottleRocket).
- 
For Ubuntu or RHEL nodes, Copy this resulted kubelet.confto/etc/kubernetes/kubelet.confon the failed node. Restart the kubelet (systemctl restart kubelet) on the failed node and wait for/var/lib/kubelet/pki/kubelet-client-current.pemto be recreated. Manually edit thekubelet.confto point to the rotated kubelet client certificates by replacing client-certificate-data and client-key-data with/var/lib/kubelet/pki/kubelet-client-current.pemand/var/lib/kubelet/pki/kubelet-client-current.pem. For BottleRocket, manually copy over the base64 decoded values ofclient-certificate-dataandclient-key-datainto thekubelet-client-current.pemon worker node.
kubeadm kubeconfig user --org system:nodes --client-name system:node:$NODE > kubelet.conf (from control plane node with renewed `/etc/kubernetes/pki/ca.key`)
cp kubelet.conf /etc/kubernetes/kubelet.conf (on failed worker node)# From control plane node with renewed certs
# you would be in the admin container when you ssh to the Bottlerocket machine
# open root shell
sudo sheltie
# pull the image
IMAGE_ID=$(apiclient get | apiclient exec admin jq -r '.settings["host-containers"]["kubeadm-bootstrap"].source')
ctr image pull ${IMAGE_ID}
# set NODE value to the failed worker node name.
ctr run \
--mount type=bind,src=/var/lib/kubeadm,dst=/var/lib/kubeadm,options=rbind:rw \
--mount type=bind,src=/var/lib/kubeadm,dst=/etc/kubernetes,options=rbind:rw \
--rm \
${IMAGE_ID} tmp-cert-renew \
/opt/bin/kubeadm kubeconfig user --org system:nodes --client-name system:node:$NODE 
# from the stdout base64 decode `client-certificate-data` and `client-key-data`
# copy client-cert to kubelet-client-current.pem on worker node
echo -n `<base64 decoded client-certificate-data value>` > kubelet-client-current.pem
# append client key to kubelet-client-current.pem on worker node
echo -n `<base64 decoded client-key-data value>` >> kubelet-client-current.pem- Restart the kubelet. Make sure the node becomes Ready.
See the Kubernetes documentation for more details on manually updating kubelet client certificate.
Post Renewal
Once all the certificates are valid, verify the kcp object on the affected cluster(s) is not paused by running kubectl describe kcp -n eksa-system | grep cluster.x-k8s.io/paused. If it is paused, then this usually indicates an issue with the etcd cluster. Check the logs for pods under the etcdadm-controller-system namespace for any errors.
If the logs indicate an issue with the etcd endpoints, then you need to update spec.clusterConfiguration.etcd.endpoints in the cluster’s kubeadmconfig resource: kubectl edit kcp -n eksa-system
Example:
etcd:
   external:
     caFile: /var/lib/kubeadm/pki/etcd/ca.crt
      certFile: /var/lib/kubeadm/pki/server-etcd-client.crt
      endpoints:
      - https://xxx.xxx.xxx.xxx:2379
      - https://xxx.xxx.xxx.xxx:2379
      - https://xxx.xxx.xxx.xxx:2379
What do I do if my local kubeconfig has expired?
Your local kubeconfig, used to interact with the cluster, contains a certificate that expires after 1 year. When you rotate cluster certificates, a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires, you will receive the following error:
Error: Couldn't get current Server API group list: the server has asked for the client to provide credentials error: you must be logged in to the server.
This error typically occurs when the cluster certificates have been renewed or extended during the upgrade process. To resolve this issue, you need to update your local kubeconfig file with the new cluster credentials.
You can extract your new kubeconfig using the following steps.
- You can extract your new kubeconfig by SSHing to one of the Control Plane nodes, exporting kubeconfig from the secret object, and copying kubeconfig file to /tmpdirectory, as shown here:
ssh -i <YOUR_PRIVATE_KEY> <USER_NAME>@<YOUR_CONTROLPLANE_IP> # USER_NAME should be ec2-user for bottlerocket, ubuntu for Ubuntu ControlPlane machine Operating System
export CLUSTER_NAME="<YOUR_CLUSTER_NAME_HERE>"
cat /etc/kubernetes/admin.conf
export KUBECONFIG="/etc/kubernetes/admin.conf"
kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml -o=jsonpath="{.data.value}" | base64 --decode > /tmp/user-admin.kubeconfig# You would need to be in the admin container when you ssh to the Bottlerocket machine
# open a root shell
sudo sheltie
cat /var/lib/kubeadm/admin.conf
cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/kubernetes-admin.kubeconfig
exit # exit from the sudo sheltie container
export CLUSTER_NAME="<YOUR_CLUSTER_NAME_HERE>"
export KUBECONFIG="/tmp/kubernetes-admin.kubeconfig"
kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml -o=jsonpath="{.data.value}" | base64 --decode > /tmp/user-admin.kubeconfig
exit # exit from the Control Plane Machine- From your admin machine, download the kubeconfig file from the ControlPlane node and use it to access your Kubernetes Cluster.
ssh <ADMIN_MACHINE_IP>
export CONTROLPLANE_IP="<CONTROLPLANE_IP_ADDR>"
sftp -i <keypair> <USER_NAME>@${CONTROLPLANE_IP}:/tmp/user-admin.kubeconfig . # USER_NAME should be ec2-user for bottlerocket, ubuntu for Ubuntu ControlPlane machine 
ls -ltr 
export KUBECONFIG="user-admin.kubeconfig"
kubectl get pods