This is a cache of https://docs.openshift.com/container-platform/4.8/security/certificate_types_descriptions/bootstrap-certificates.html. It is a snapshot of the page at 2024-11-20T19:46:14.217+0000.
Bootstrap <strong>certificate</strong>s - <strong>certificate</strong> types and descriptions | Security and compliance | OpenShift Container Platform 4.8
×

Purpose

The kubelet, in OpenShift Container Platform 4 and later, uses the bootstrap certificate located in /etc/kubernetes/kubeconfig to initially bootstrap. This is followed by the bootstrap initialization process and authorization of the kubelet to create a CSR.

In that process, the kubelet generates a CSR while communicating over the bootstrap channel. The controller manager signs the CSR, resulting in a certificate that the kubelet manages.

Management

These certificates are managed by the system and not the user.

Expiration

This bootstrap CA is valid for 10 years.

The kubelet-managed certificate is valid for one year and rotates automatically at around the 80 percent mark of that one year.

Customization

You cannot customize the bootstrap certificates.