Export Certificate and Key from kubeconf.

I have a kubeconf file, but I cannot find the key and the certificate that was used to create it. Here comes help…

kubeadm does a great job in creating all the necessary keys, certificates and kubeconf files required for a Kubernetes cluster. As I was playing around recently with users, roles, and kubeconfs I discovered that the key and the certificate for the kubernetes-admin are missing.

And here I want to demonstrate how those files can be exported from the kubeconf.

In one of my previous posts I talked about how to create a user, its permissions and roles in Kubernetes:
https://www.livefire.solutions/kubernetes/create-a-user-in-kubernetes
Take a look if you want to learn more about how these kubeconf files are created.

Starting Point

I have setup my Kubernetes cluster using kubeadm and per default kubeadm stores all the certificates and keys in the /etc/kubernetes/pki directory. But as we can see below there is no admin.key and no admin.crt file:

So lets export them from our admin kubeconf file stored in /etc/kubernetes

Verify Content and Export Certificates

Lets take a view on the content of: /etc/kubernetes/admin-conf
Note: To preserve readability lines are cut off.

We are interested in the two lines at the end that contain the key and certificates information. So lets grep out the client-certificate-data and decode the content:

grep "client-certificate-data" admin.conf | awk '{print $2}' | base64 -d

As you can see above, the result looks very familiar… 🙂
Repeat the step for client-key-data and write the output to files:

grep "client-certificate-data" admin.conf | awk '{print $2}' | base64 -d > admin.crt
grep "client-key-data" admin.conf | awk '{print $2}' | base64 -d > admin.key

In a final step, lets verify the exported admin.crt
Show the first 20 lines of the certificate information by running:

openssl x509 -in admin.crt -noout -text | head -20

We can see the issuer, validity and subject information. Seems our export was successful.

Bal Birdy on LinkedinBal Birdy on Twitter
Bal Birdy
Bal is an Open Group Certified IT Architect, and VCDX #269, specializing in the network and security arena, with over 15 years experience in enterprise level network/system technologies. His goal has always been to maintain a holistic view of the architecture allowing him to understand how various technology streams may impact the networking/infrastructure space.
Bal has a proven record of delivering on enterprise network designs, leading data center and site migrations as a result of business mergers and acquisitions, and vendor migrations e.g. Cisco to Checkpoint/Juniper. As part of this he worked across several business sectors: Utilities, Banking, Retail and Government, and can base designs around sector specific standards e.g. PCI-DSS, DSD and ISM. He is proficient in several technology areas including Cisco, Juniper, F5, VMware, Citrix and Microsoft. These skills are supported by non-technical certifications: Prince2 Project Management Practitioner, ITILv3, TOGAF 9.1 Certified and Open Group Certified IT Architect – Open CA.
In addition to supporting the Livefire Team, Bal leads several innovation efforts within the VMware WRACE organization, including projects investigating the use of Virtual Reality/Augmented Reality, AI/ML and Interactive 360, to support customer and partner enablement.

Certifications:
BSc (Hons) Computer Science
CCNP/CCDP
VCDX-NV #269
Open Group Certificated Architect
Member of the Associated of Enterprise Architects

Leave a Reply

%d bloggers like this: