Skip to content

How to extend RKE2/K3s self-signed certificate expiration

Article Number: 000022185

Environment

RKE2 and K3S cluster with self-signed certificates

Procedure

Warning: Changing the default certificate expiry is not officially supported or tested by QA. This process of overriding the default is generally discouraged because Rancher and RKE2 already manage rotations automatically—either through the Rancher UI, the RKE2 rotate subcommand, or automatically upon an RKE2 service restart. 

If your specific scenario requires adjusting the expiry period, use the details in this article with caution. Ensure you apply reasonable values to prevent unexpected cluster complications.

1. Configure the Environment Variable

Set the environment variable CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS on the node.

RKE2:
The example below configures a 1000-day certificate expiration period for an RKE2 server node:



# Add the environment variable (example: 1000 days)
echo CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=1000 >> /usr/local/lib/systemd/system/rke2-server.env

# Apply changes
systemctl restart rke2-server

Note: For agent/worker nodes, replace rke2-server with rke2-agent in the commands above

K3S:
The example below configures the same 1000-day expiry for a K3s server node:

# Add the environment variable (example: 1000 days)
echo CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=1000 >> /etc/systemd/system/k3s.env

# Apply changes
systemctl restart k3s

Note: For agent/worker nodes, replace k3s with k3s-agent in the commands above. Also, by default K3s uses the /etc/systemd/system directory

2. Verify Certificate Validity

You can confirm the updated certificate durations using one of the following methods:

Using the RKE2 CLI



rke2 certificate check --output table

Using the K3s CLI

k3s certificate check --output table

Using OpenSSL
This example checks the kubelet certificate, which listens on port 10250

openssl s_client -connect localhost:10250 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -dates

Note: The OpenSSL command can be adjusted for other components by changing the target port

Important Considerations

Existing clusters
If the current certificates have greater than 120 days until expiry, RKE2 and K3s will not automatically rotate the certificates when starting after adding the new environment variable.

Manual rotation
On an existing cluster, the new certificate expiry period can be applied by manually rotating the certificates on all nodes as needed. This can be done in the Rancher dashboard, or directly on nodes in a standalone cluster.

RKE2: 

rke2 certificate rotate
systemctl restart rke2-server

Note: For agent/worker nodes, replace rke2-server with rke2-agent in the commands above

K3S:

k3s certificate rotate
systemctl restart k3s

Note: For agent/worker nodes, use k3s-agent as the systemctl service when restarting