By default, kubeadm generates all the certificates needed for a cluster to run. You can override this behavior by providing your own certificates.
Check certificate expiration
sudo kubeadm certs check-expiration
# [check-expiration] Reading configuration from the cluster...
# [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
# CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
# admin.conf Feb 08, 2022 04:58 UTC 364d no
# apiserver Feb 08, 2022 04:57 UTC 364d ca no
# apiserver-etcd-client Feb 08, 2022 04:57 UTC 364d etcd-ca no
# apiserver-kubelet-client Feb 08, 2022 04:57 UTC 364d ca no
# controller-manager.conf Feb 08, 2022 04:58 UTC 364d no
# etcd-healthcheck-client Jan 29, 2022 01:08 UTC 354d etcd-ca no
# etcd-peer Jan 29, 2022 01:08 UTC 354d etcd-ca no
# etcd-server Jan 29, 2022 01:08 UTC 354d etcd-ca no
# front-proxy-client Feb 08, 2022 04:57 UTC 364d front-proxy-ca no
# scheduler.conf Feb 08, 2022 04:58 UTC 364d no
# CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
# ca Jan 27, 2031 01:08 UTC 9y no
# etcd-ca Jan 27, 2031 01:08 UTC 9y no
# front-proxy-ca Jan 27, 2031 01:08 UTC 9y no