Regenerating OCP Certificates

For those with OpenShift Container Platform nodes that must support FIPS, and you’ve previously generated the certificates on a non-FIPS node. You must execute these steps from a FIPS-compliant environment, such as a RHEL server booted in FIPS mode.

Then you can follow the Red Hat Customer Portal document Regenerating Openshift Cluster Certificates, which shows you:

  1. Regenerate the Leaf Certificates using oc adm ocp-certificates regenerate-leaf
  2. Regenerate the Top-Level Certificates using oc adm ocp-certificates regenerate-top-level

There is also a really cool command to restart the Kubelet oc adm restart-kubelet nodes --all --directive=RemoveKubeletKubeconfig

This document is tried and true, and the best one to regenerate your certificates for your cluster.

I’m blogging about this so I can find these key commands and the link when I need it again.