Export Certificate and Key from kubeconf.

I have a kubeconf file, but I cannot find the key and the certificate that was used to create it. Here comes help…

kubeadm does a great job in creating all the necessary keys, certificates and kubeconf files required for a Kubernetes cluster. As I was playing around recently with users, roles, and kubeconfs I discovered that the key and the certificate for the kubernetes-admin are missing.

And here I want to demonstrate how those files can be exported from the kubeconf.

In one of my previous posts I talked about how to create a user, its permissions and roles in Kubernetes:
Take a look if you want to learn more about how these kubeconf files are created.

Starting Point

I have setup my Kubernetes cluster using kubeadm and per default kubeadm stores all the certificates and keys in the /etc/kubernetes/pki directory. But as we can see below there is no admin.key and no admin.crt file:

So lets export them from our admin kubeconf file stored in /etc/kubernetes

Verify Content and Export Certificates

Lets take a view on the content of: /etc/kubernetes/admin-conf
Note: To preserve readability lines are cut off.

We are interested in the two lines at the end that contain the key and certificates information. So lets grep out the client-certificate-data and decode the content:

As you can see above, the result looks very familiar… 🙂
Repeat the step for client-key-data and write the output to files:

In a final step, lets verify the exported admin.crt
Show the first 20 lines of the certificate information by running:

We can see the issuer, validity and subject information. Seems our export was successful.

Peter Oberacher
Peter has worked as a professional in the IT industry since 1994. During his career he gathered several certifications around networking and security, SAN architecture and management, and Linux.In February 2012 he passed the exam to become VCDX-DCV #73. He joined VMware in 2008 as a Consultant and developed profound knowledge in architecture and design. In the following years he designed and implemented several large-scale virtual environments in Saudi-Arabia, Germany, Austria, Switzerland and Romania for over 20 different customers. Besides his activity as Architect, he also conducted dozens of performance and monitoring workshops using vRealize Operations for customers in central Europe. After leaving PSO in 2015, Peter joined different teams focusing on enablement and training and in January 2018 Peter became a member of the WW RACE team. Now he is responsible for lecture development around NSX-T.

Leave a Reply

%d bloggers like this: