Kubernetes create 5 year certificate for kubeapi

Question

While creating the kubernetes cluster using kubeadm in Centos 7, its creating one year kubeapi certificate. For me this is short time for the cluster. How can I create 5 year certificate during cluster setup?

* SSL connection using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* Server certificate:
*       subject: CN=kube-apiserver
*       start date: Dec 20 14:32:00 2017 GMT
*       expire date: Dec 20 14:32:00 2018 GMT
*       common name: kube-apiserver
*       issuer: CN=kubernetes

I tried this didn't work:

openssl genrsa -out ca.key 2048
export MASTER_IP=192.168.16.171
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
kubeadm reset
rm -rf /etc/kubernetes
mkdir -p /etc/kubernetes/ca/pki
cp ca.key ca.crt /etc/kubernetes/ca/pki/
kubeadm init
curl -k -v https://localhost:6443

Server certificate:
*       subject: CN=kube-apiserver
*       start date: Apr 15 21:07:24 2018 GMT
*       expire date: Apr 15 21:07:25 2019 GMT
*       common name: kube-apiserver
*       issuer: CN=kubernetes

Thanks SR

Answer 1

After looking at the code, there is no option to change the API certificate expire date. It set to 1 year in the code.

https://github.com/kubernetes/client-go/blob/master/util/cert/cert.go

// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) {
    now := time.Now()
    tmpl := x509.Certificate{
        SerialNumber: new(big.Int).SetInt64(0),
        Subject: pkix.Name{
            CommonName:   cfg.CommonName,
            Organization: cfg.Organization,
        },
        NotBefore:             now.UTC(),
        NotAfter:              now.Add(duration365d * 10).UTC(),
        KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
        BasicConstraintsValid: true,
        IsCA: true,
    }

    certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
    if err != nil {
        return nil, err
    }
    return x509.ParseCertificate(certDERBytes)
}

Answer 2

Follow the Kubernetes documentation on certificates to the CA certificate.

If you choose openssl or easyrsa use --days=1825, if you are going with cfssl then in ca-config.json specify 5y for .signing.default.expiry.

Put the resulting ca.crt and ca.key in /etc/kubernetes/ca/pki. When you run kubeadm init it will detect those files and will not overwrite them; it will use that CA key & certificate to sign the other certificates needed.