Edit This Page

Generate the certificate for serving the Kubernetes API


Generate the certificate for serving the Kubernetes API, and save them into apiserver.cert and apiserver.key files.

Default SANs are kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local,,

If both files already exist, kubeadm skips the generation step and existing files will be used.

Alpha Disclaimer: this command is currently alpha.

kubeadm init phase certs apiserver [flags]


      --apiserver-advertise-address string   The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
      --apiserver-cert-extra-sans strings    Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
      --cert-dir string                      The path where to save and store the certificates. (default "/etc/kubernetes/pki")
      --config string                        Path to a kubeadm configuration file.
      --csr-dir string                       The path to output the CSRs and private keys to
      --csr-only                             Create CSRs instead of generating certificates
  -h, --help                                 help for apiserver
      --service-cidr string                  Use alternative range of IP address for service VIPs. (default "")
      --service-dns-domain string            Use alternative domain for services, e.g. "myorg.internal". (default "cluster.local")

Options inherited from parent commands

      --rootfs string   [EXPERIMENTAL] The path to the 'real' host root filesystem.