So, I have always found PKI key tools to be super challenging, hard to remember all the options (and why they are needed). Did come up with a pattern for manually refreshing a K8s certificate by only using the K8s official documentation.

note: I learned everything using openssl as it seemed to be the more generally available tool.

The first command that you have to just memorize is how to inspect the contents of an existing certificate:

```

openssl x509 --in server.crt -text --noout

```

note: The noout option is optional (just shortens the output)

Using this command, inspect the content of the certificate that you are looking to renew. In there you can find all the information that you will need to populate your certificate signing request (CSR) configuration file.

The next step is to construct a template to create the CSR and just looking up "certificates" in the K8s documentation gets you to the "Certificates" page. On that page, you will see a template. You will need to take the information you got from inspecting the old certificate and put it in the proper place. In some cases, may involve removing keys, e.g., when refreshing my etcd certificate, I did not use the following keys in the template because they were not there in the old certificate:

```

authorityKeyIdentifier=keyid,issuer:always

basicConstraints=CA:FALSE

```

With all this in place, the same "Certificates" document gives you the exact commands you will need to use to create your refreshed certificate.

One subtle thing you will have to understand is what certificate authority to use to sign the CSR. This can be determined from the old certificate. For example, for etcd, you have to use the CA files in the same etcd directory.

Finally, remember... You are unlikely to need to do this in a real K8s cluster as:

- Every cluster upgrade automatically refreshes these certificates

- There is now a kubeadm option that does this "kubeadm alpha certs renew"