This is a cache of https://docs.openshift.com/container-platform/4.5/security/certificate_types_descriptions/bootstrap-certificates.html. It is a snapshot of the page at 2024-11-20T23:45:18.184+0000.
Bootstrap certificates - Certificate types and descriptions | Security | OpenShift Container Platform 4.5
×

Purpose

The kubelet, in OpenShift Container Platform 4 and later, uses the bootstrap certificate located in /etc/kubernetes/kubeconfig to initially bootstrap. This is followed by the bootstrap initialization process and authorization of the kubelet to create a CSR.

In that process, the kubelet generates a CSR while communicating over the bootstrap channel. The controller manager signs the CSR, resulting in a certificate that the kubelet manages.

Management

These certificates are managed by the system and not the user.

Expiration

This bootstrap CA is valid for 10 years.

The kubelet-managed certificate is valid for one year and rotates automatically at around the 80 percent mark of that one year.

Customization

You cannot customize the bootstrap certificates.