How to rotate certificates for clusters launched by RKE v0.1.x or Rancher v2.0.x and v2.1.x

Table of Contents


Kubernetes clusters use multiple certificates to provide both encryption of traffic to the Kubernetes components as well as authentication of these requests. These certificates are auto-generated for clusters launched by Rancher and also clusters launched by the Rancher Kubernetes Engine (RKE) CLI.

In Rancher v2.0.x and v2.1.x, the auto-generated certificates for Rancher-launched Kubernetes clusters have a validity period of one year, meaning these certificates will expire one year after the cluster is provisioned. The same applies to Kubernetes clusters provisioned by v0.1.x of the Rancher Kubernetes Engine (RKE) CLI.

If you created a Rancher-launched or RKE-provisioned Kubernetes cluster about 1 year ago, and have not already rotated the certificates, you need to rotate the certificates. If no action is taken, then when the certificates expire, the cluster will go into an error state and the Kubernetes API for the cluster will become unavailable. Rancher recommends that you rotate the certificates before they expire to avoid an unexpected service interruption. The rotation is a one time operation, and the newly-generated certificates will be valid for the next 10 years.


  • A Kubernetes cluster launched by RKE CLI v0.1.x, or Rancher v2.0.x and v2.1.x


Full details on who to rotate the certificates for the both RKE and Rancher launched clusters can be found in the Rancher blog post "Manual Rotation of Certificates in Rancher Kubernetes Clusters".

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.