If there are multiple issues related to certificates in the environment, so you are asked to perform a health check of all the certificates in the entire cluster.
It is important to know how the cluster was set up. There are different solutions available for deploying a Kubernetes cluster they use different methods to generate and manage certificates.
If you were to deploy a Kubernetes cluster from scratch you generate all the certificates by yourself.
If you were to deploy a Kubernetes cluster from Kubeadm, it takes care of automatically generating and configuring the cluster for you.
$ sudo cat /etc/kubernetes/manifests/kube-apiserver.yaml While you deploy all the components as native services on the nodes in the hard way, the Kubeadm tool deploys these as pods. So, it is important to know where to look at to view the right information.
Decode certificate
$ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3307100801619468887 (0x2de52ea844f02257)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Nov 22 07:21:53 2020 GMT
Not After : Dec 22 12:13:04 2021 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b6:b5:57:3d:96:42:c0:41:aa:0e:d1:c1:8c:a4:
e0:92:7e:5b:2e:1c:09:47:02:af:42:87:97:2c:69:
9d:3d:db:64:8e:38:cc:d0:fd:ea:26:cc:73:b1:a9:
16:91:49:c2:85:4d:da:39:b1:1b:dc:b3:a4:c9:6e:
48:76:1c:28:84:49:82:82:da:98:7b:a1:61:c0:f0:
9a:3b:fa:1f:27:28:43:6d:a7:80:4a:db:63:39:c5:
0e:5a:17:6a:b0:9c:ee:42:51:35:5c:a9:f5:2d:2e:
57:1c:d8:1a:c4:f5:1a:e9:1d:9f:80:f0:28:13:1e:
a3:78:20:b9:93:47:11:cd:5f:a5:60:54:8d:90:ad:
59:5e:0c:d3:72:96:5b:e5:7b:67:ef:b6:57:52:fe:
14:dc:2d:c3:29:d6:e0:3b:4e:ad:2c:94:90:ab:fe:
10:9f:8e:af:1e:59:c5:a4:e6:00:bc:37:48:93:60:
4e:a5:c7:ae:de:18:7d:cf:62:ab:c4:56:b1:77:89:
d8:eb:ff:70:c9:18:2a:5b:22:ac:ab:44:3a:79:bb:
cb:44:1b:40:fb:e5:db:1b:00:f0:25:ad:8b:e6:d3:
cc:75:3a:40:15:83:40:ed:6a:55:4a:8e:c2:6b:86:
a7:fb:56:0d:ac:8d:67:66:84:c0:4b:03:f6:33:73:
b8:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Authority Key Identifier:
keyid:19:F2:3C:F5:AB:CE:8D:38:86:2D:15:B2:CF:35:5D:77:17:44:23:A5
X509v3 Subject Alternative Name:
DNS:kubemaster, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.56.2
Signature Algorithm: sha256WithRSAEncryption
17:0a:73:11:48:e3:19:b0:30:64:21:32:90:2e:9b:00:23:76:
47:7a:10:20:16:0b:52:d3:00:89:cc:1b:0b:14:93:e4:32:b2:
81:69:c3:32:37:b3:a6:68:92:d8:9b:c3:f5:b6:82:d7:c2:39:
74:13:0b:45:1b:f0:65:5a:6a:39:6c:f3:93:72:7e:57:5b:08:
fa:45:a3:cd:a2:f3:e2:9b:ff:c6:ad:bf:47:62:68:ec:33:81:
52:e3:31:3d:16:39:0a:63:91:05:51:96:19:f9:03:02:e9:55:
f9:fa:43:a1:ea:e8:2e:7b:77:77:a7:3d:12:d8:43:65:e1:2c:
ce:93:d0:ee:e8:eb:84:1f:03:6d:2b:5a:bb:f3:3f:1c:f9:42:
6f:93:8e:2b:02:ec:d1:c7:e0:a5:04:3d:2c:ce:ff:4e:88:67:
70:bb:53:e6:19:2a:0e:8f:4b:09:e0:ca:8d:14:89:df:4a:20:
94:2d:e7:b6:04:f5:9e:d6:ca:18:50:24:62:ff:51:10:7f:5e:
9c:aa:6a:17:2a:c5:e7:d4:98:a6:82:f3:49:98:4e:b8:11:63:
62:3f:64:17:06:1b:88:1c:8c:0c:17:cd:7f:87:f3:93:ee:9f:
10:dc:96:eb:6f:c4:d1:f8:a3:68:57:f8:c0:18:d7:ab:b2:c7:
19:45:72:7e