kubeadm-certs-generate-csr - Man Page

Generate keys and certificate signing requests

Eric Paris Jan 2015


kubeadm certs generate-csr [Options]


Generates keys and certificate signing requests (CSRs) for all the certificates required to run the control plane. This command also generates partial kubeconfig files with private key data in the  "users > user > client-key-data" field, and for each kubeconfig file an accompanying ".csr" file is created.

This command is designed for use in Kubeadm External CA Mode ⟨https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#external-ca-mode⟩. It generates CSRs which you can then submit to your external certificate authority for signing.

The PEM encoded signed certificates should then be saved alongside the key files, using ".crt" as the file extension, or in the case of kubeconfig files, the PEM encoded signed certificate should be base64 encoded and added to the kubeconfig file in the "users > user > client-certificate-data" field.


--cert-dir="" The path where to save the certificates

--config="" Path to a kubeadm configuration file.

--kubeconfig-dir="/etc/kubernetes" The path where to save the kubeconfig file.

Options Inherited from Parent Commands

--azure-container-registry-config="" Path to the file containing Azure container registry configuration information.

--log-flush-frequency=5s Maximum number of seconds between log flushes

--rootfs="" [EXPERIMENTAL] The path to the 'real' host root filesystem.

--version=false Print version information and quit


  # The following command will generate keys and CSRs for all control-plane certificates and kubeconfig files:
  kubeadm alpha certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s/pki

See Also



January 2015, Originally compiled by Eric Paris (eparis at redhat dot com) based on the kubernetes source material, but hopefully they have been automatically generated since!

Referenced By


User Manuals