Changing the Master API Certificate

The OKD master API uses a different certificate than the certificate used by the ingress controller. Changing the master API certificate allows users to log in securely using the oc command.

As with the ingress controller certificate, a certificate signed by a recognized certificate authority or by your company enterprise CA can replace the master API certificate.

To change the master API certificate, you need:

  • The master API certificate and key in PEM format.

  • The certificate is issued to the URL used to access the master API, such as

  • The subjectAltName extension for the certificate contains the URL used to access the master API, such as

  • If the certificate is signed by your enterprise CA, then you can create a combined certificate by concatenating the master API certificate and the CA certificate into one PEM file. Concatenate additional certificates into the combined PEM file as necessary to establish a chain of trust.


Change the master API certificate with the following steps. Create a new TLS secret in the openshift-config namespace using the master API certificate and key. Use the combined PEM certificate file for the --cert option if you created one.

oc create secret tls <SECRET-NAME> \
> --cert <PATH-TO-CERTIFICATE> --key <PATH-TO-KEY> \
> -n openshift-config

Modify the cluster API server to use the new secret. This can be accomplished by using oc edit, oc patch, or by modifying a file under version control and then using oc apply.

oc patch apiserver cluster --type=merge --patch='{"spec": \
> {"servingCerts": {"namedCertificates": \
> [{"names": ["<API-SERVER-URL>"], \
> "servingCertificate": {"name": "<SECRET-NAME>"}}]}}}'

If the apiserver updated successfully, then new kube-apiserver pods in the openshiftkube-apiserver namespace are created.

The kube-apiserver cluster operator transitions to a progressing state while the pods are created. The pods are ready when the kube-apiserver cluster operator is no longer progressing.

oc get co/kube-apiserver