How to renew or recreate a node's certificate in OpenShift 4.x

Solution Verified - Updated -


  • Only one node is not working, with a "NotReady" status;
  • Kubelet service log shows lots of messages:

    Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
  • Expired or mis-matched node certificates, but there are no Pending CSRs

  • How do I redeploy node certificates or do TLS bootstrapping?


  • Red Hat OpenShift Container Platform (RHOCP) 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content