Check Certificate expiry in Kubernetes

Let’s learn how to check the expiry of certificates in kubernetes,

Let’s create a self-signed certificate using openSSL,

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

Provide all the inputs for the above command, like country, common name etc. cert.pem will be created.

Create a Secret

kubectl create secret generic mycert --from-file=./cert.pem

Fetch the cert data using kubectl and check the expiry using openssl

kubectl get secret mysecret --template={{.data.crt}} |base64 --decode | openssl x509 -enddate -noout

If certificate key in secret has DOT (.)

If the certificate has a secret with extra dot like below, (tls.crt) then you can use -o=jsonpathwith kubectl.

apiVersion: v1
data:
  tls.crt: <cert-data>

Get certificate info by parsing using jsonpath flag with Escape \ character as shown below,

kubectl get secret dev-goacademy-tls -o=jsonpath='{.data.tls\.crt}' |base64 --decode |openssl x509 -enddate -noout
notAfter=Mar 1 15:38:50 2023 GMT

Learn more about kubernetes, join my CKA course