-
Notifications
You must be signed in to change notification settings - Fork 10
Security ‐ Node certificate expiry
sarad-rh edited this page Apr 9, 2026
·
6 revisions
This OpenShift security check validates that ETCD certificates on nodes haven't expired or are about to expire within 30 days. The check monitors ETCD serving and peer certificates which have 3-year validity periods and are not rotated automatically.
- etcd serving certificates:
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-certs/etcd-serving-*.crt - etcd peer certificates:
/etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-certs/etcd-peer-*.crt
The rule warns if any certificate will expire within 30 days and fails if any certificate has already expired.
-
opensslmust be available on the node.
Expired or soon-to-expire node certificates can cause severe cluster disruptions:
- ETCD cluster instability and potential quorum loss
- Control plane components unable to communicate with ETCD
- Cluster management operations failures
- API server becoming unavailable
- Certificates approaching their 3-year expiration without renewal
- Incomplete cluster upgrades leaving stale certificates
- Time synchronization problems between nodes causing incorrect expiry calculations
- Long-running clusters without proper certificate lifecycle management
Check the expiry date of node certificates using openssl:
# Check etcd serving certificate (replace <node-name> with actual node name)
openssl x509 -enddate -noout -in /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-certs/etcd-serving-<node-name>.crt
# Check etcd peer certificate (replace <node-name> with actual node name)
openssl x509 -enddate -noout -in /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-certs/etcd-peer-<node-name>.crt
# List all etcd certificates with details:
ls -l /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-certs/
Verify node time synchronization:
timedatectl status
chronyc trackingFollow the OpenShift documentation for manual etcd certificate rotation if automatic rotation has failed.