You can renew both internal and external certificates after expiration.
To renew certificates after expiration:
Log in to the master node.
Change to the following directory:
cd <k8s_HOME>
By default, k8s_HOME is /opt/kubernetes.
(Conditional) For internal certificate:
Run the following command to generate new client.crt, client.key and server.crt certificates:
./scripts/renewCert --renew -V 365 -t internal
(Conditional) If you have multiple master nodes, run the following on all the master nodes:
./scripts/renewCert --renew -t internal
(Conditional) For external certificates, run the following command:
To generate new external self-signed certificates:
./scripts/renewCert --renew -t external
To generate the external custom self-signed certificates:
./scripts/renewCert --renew -t external --tls-cert /<cert file directory>/<cert file> --tls-key <private key directory>/<private key> [--tls-cacert <CA cert directory>/<CA cert file>]