Certificates from
First Principles

Before we talk about certificates, we need to understand what world we live in without them. The internet is, by default, a postcard system. Every packet you send travels through dozens of routers, switches, and cables owned by people you don’t know and have no reason to trust. Your ISP can read your traffic. The coffee-shop WiFi operator can read your traffic. A government with a fiber tap can read your traffic. This isn’t paranoia — it’s physics. Data moves through shared infrastructure in plaintext unless you explicitly make it not.

This gives us two problems that certificates ultimately exist to solve:

Confidentiality. How do you prevent eavesdroppers from reading your data? You need encryption — a way to scramble the message so only the intended recipient can unscramble it.

Authentication. Even if you encrypt, how do you know you’re talking to the right server? An attacker could intercept your connection, present themselves as your bank, and you’d happily encrypt your password and send it straight to them. This is a man-in-the-middle attack, and encryption alone doesn’t prevent it. You need a way for the server to prove its identity.

Certificates don’t do the encryption themselves. They solve the authentication problem — they let your browser verify that the public key it just received actually belongs to google.com and not to someone pretending to be Google. But to understand certificates, you need to understand the cryptographic primitives they’re built on. So let’s build up from nothing.

The oldest and most intuitive form of encryption: both parties share the same secret key. The sender uses the key to encrypt, the receiver uses the same key to decrypt. A lockbox with two identical keys.

Modern symmetric ciphers like AES-256-GCM are extraordinarily fast — billions of operations per second on CPUs with hardware AES-NI instructions. They’re also, as far as we know, unbreakable when used correctly. AES-256 has a keyspace of 2²⁵⁶ possible keys. If every atom in the observable universe were a computer trying a billion keys per second, it would take longer than the age of the universe to try them all.

But symmetric encryption has a devastating bootstrapping problem: how do you get the shared key to both parties in the first place? If Alice wants to talk securely to Bob, she needs to somehow transmit the key to him. But if she sends it over the network, an eavesdropper captures it. If she could already communicate securely with Bob, she wouldn’t need the key. It’s circular.

For centuries, this meant encryption required physical key exchange — diplomatic couriers, codebooks distributed in person, sealed envelopes. That’s fine for embassies. It doesn’t work when you want to buy something from a website you’ve never visited before.

In 1976, Whitfield Diffie and Martin Hellman published “New Directions in Cryptography,” one of the most important papers in the history of computer science. They proposed something that sounded impossible: two strangers could agree on a shared secret over a public channel, even if an eavesdropper heard every word.

This is the Diffie-Hellman key exchange. Modern TLS uses ECDHE — Elliptic Curve Diffie-Hellman Ephemeral — which achieves the same thing with smaller numbers and faster computation.

The “ephemeral” part is critical. Both sides generate new, temporary key pairs for every session. Even if a server’s long-term private key is compromised years later, an attacker who recorded past traffic can’t decrypt it, because the ephemeral keys are long gone. This property is called forward secrecy, and it’s why TLS 1.3 mandates ECDHE and dropped support for static RSA key exchange.

But Diffie-Hellman solves only half the problem. It gives you a shared secret — but it doesn’t tell you who you derived that secret with. A man-in-the-middle could perform DH with Alice, separately perform DH with Bob, and relay traffic between them. To prevent this, you need authentication — and that requires asymmetric cryptography used in a different way.

Asymmetric (public-key) cryptography uses a key pair: a public key you give to the world, and a private key you guard with your life. The two are mathematically linked by a trapdoor function — a computation that’s efficient in one direction and infeasible in the other.

RSA

The classic. Named after Rivest, Shamir, and Adleman (1977). The trapdoor is integer factorization:

1. Pick two large random primes, p and q (each 1024+ bits).
2. Compute n = p × q. This is your modulus — it’s public.
3. Compute φ(n) = (p−1)(q−1). This requires knowing p and q.
4. Choose a public exponent e (commonly 65537). Compute the private exponent d such that ed ≡ 1 (mod φ(n)).
5. Public key: (n, e). Private key: (n, d).

The security rests on one fact: given n (a 2048-bit number), nobody knows how to efficiently find p and q. Multiplying two 1024-bit primes takes microseconds. Factoring their product takes longer than the universe will exist.

Elliptic Curves (ECDSA, Ed25519)

Instead of factoring, EC crypto relies on the Elliptic Curve Discrete Logarithm Problem. You have a curve, a base point G, and a random integer k (your private key). Your public key is Q = kG. Given G and Q, recovering k is computationally infeasible. The result: 256-bit keys as strong as 3072-bit RSA keys.

What can you do with these keys?

• Encrypt: Anyone can encrypt with your public key. Only your private key can decrypt.
• Sign: You can create a digital signature with your private key. Anyone with your public key can verify it.

Certificates care about the second operation — signing — far more than the first.

A digital signature proves two things simultaneously: who produced a piece of data, and that the data hasn’t been altered since it was signed.

This mechanism underpins everything: TLS, code signing, JWTs, git commits, package managers, and certificates themselves.

Now we can define what a certificate actually is, and it’s simpler than you might expect.

A certificate is a document that says: “I, the issuer, certify that this public key belongs to this identity.” And then the issuer signs that statement with their own private key.

That’s it. A certificate binds a public key to an identity, and a trusted third party’s signature makes that binding believable. The standard format is X.509v3:

Anyone can create a certificate claiming anything. I can generate a cert right now saying “this key belongs to google.com.” What makes it trustworthy isn’t its content — it’s the signature. And the signature is only meaningful if you trust the entity that signed it.

If you need a trusted third party to sign your cert, who signs their cert? And who signs that entity’s cert? This regression stops at root Certificate Authorities.

A root CA is a certificate that signs itself. Its issuer is itself. This is obviously circular — so why trust it? Because your operating system’s vendor has pre-installed it into your trust store — a curated list of roughly 150 root certificates that your machine trusts implicitly.

In practice, root CAs don’t directly sign your server’s certificate. The chain has three levels:

Why intermediates? The root CA’s private key is the single point of trust. If compromised, every certificate in the chain becomes untrustworthy, and there’s no recovery short of replacing the root in every device’s trust store worldwide. So root keys are kept offline. The intermediates do the daily work. If one is compromised, the root signs a new one, the old gets revoked, damage contained. Defense in depth applied to trust infrastructure.

Verification in practice

1. Server sends its leaf cert + intermediate cert (root is omitted — you already have it locally).
2. Check the leaf’s signature using the intermediate’s public key. ✓
3. Check the intermediate’s signature using the root’s public key (from your trust store). ✓
4. Root is trusted. Chain complete. Connection trusted.
5. Also: validity dates, SANs match hostname, key usage is appropriate, not revoked.

This is where every concept snaps together into a single coherent protocol. TLS 1.3 is the current version — faster and more secure than its predecessors.

Notice the layering: ECDHE for key exchange (forward secrecy), certificates + signatures for authentication, AES-GCM for bulk encryption. Each primitive does what it’s best at.

CertificateVerify deserves special attention: the server signs the handshake transcript with its private key. This proves the server possesses the private key, not just the (public) certificate. Without it, an attacker who obtained the cert file (but not the key) could impersonate the server.

Before November 2015, getting a TLS certificate meant: paying $50–$300/year, generating a CSR manually, emailing it, waiting days, receiving the cert via email, installing it, and setting a calendar reminder. Let’s Encrypt changed everything by making certificates free, automated, and open.

How ACME works

The core idea: prove you control the domain before the CA signs. Let’s Encrypt only does Domain Validation (DV).

DNS-01 is the other challenge type: create a TXT record at _acme-challenge.example.com. Advantage: works for wildcard certs, no ports needed. Disadvantage: requires DNS API access.

That is the complete web PKI story. From trapdoor functions, through chains of trust, through TLS handshakes, to ACME automation. Now let’s see how Kubernetes takes these same primitives and uses them internally.

On the web, TLS is usually one-directional: the server proves its identity, but the client stays anonymous. Kubernetes is different. Every component must authenticate to every other component, using mutual TLS (mTLS) — both sides present certificates.

The kubelet on worker-3 reports pod status. The API server checks: is this a legitimate kubelet? The kubelet presents a client cert with CN=system:node:worker-3, O=system:nodes. The API server verifies it against the cluster CA, extracts the identity, applies RBAC. Meanwhile, the kubelet verifies the API server’s cert too.

Every arrow requires at least one, usually two, certificates. This is why a cluster has so many — not overengineering, but the minimum machinery for authenticated communication.

When you initialize a cluster with kubeadm init, the first thing generated is the cluster CA:

/etc/kubernetes/pki/ca.crt    # Root certificate (public, distributed everywhere)
/etc/kubernetes/pki/ca.key    # Root private key (the crown jewel)

This CA is the root of trust for the entire cluster. Every other K8s certificate is either signed directly by this CA or by a subordinate signed by it. The ca.crt is embedded in every kubeconfig.

The API server is the nexus — every component talks to it. It needs certificates for both directions:

Server certificate (incoming connections)

/etc/kubernetes/pki/apiserver.crt
/etc/kubernetes/pki/apiserver.key

Presented to anything connecting to the API server. Its SANs must include every reachable name/IP: kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, the node’s hostname and IP, the cluster IP (10.96.0.1), and any load-balancer addresses.

Client certificate (outgoing to kubelets)

/etc/kubernetes/pki/apiserver-kubelet-client.crt / .key

Used when the API server connects to kubelets (kubectl logs, kubectl exec). Subject: O=system:masters.

Each kubelet — one per node — needs its own pair of certificates.

Client certificate (kubelet → API server)

The subject IS the kubelet’s RBAC identity:

Subject: CN = system:node:worker-3
         O  = system:nodes

CN identifies the node. O maps to a K8s group. The system:nodes group is bound to the system:node ClusterRole, which scopes kubelet permissions to pods on its own node.

Server certificate (API server → kubelet)

When the API server initiates connections to the kubelet (logs, exec, port-forward), the kubelet presents its server cert with the node’s IP and hostname as SANs.

Here is the chicken-and-egg problem that makes K8s cert management genuinely interesting: a new node needs a client cert to talk to the API server. To get one signed, it must submit a CSR to the API server. To talk to the API server, it needs a cert.

The solution: TLS Bootstrap — a protocol using a short-lived, low-privilege bootstrap token to break the circularity.

The beauty of TLS Bootstrap is how it decomposes a chicken-and-egg problem into minimal privilege escalations: start with a low-value token, use it to obtain a proper certificate, discard the token.

Beyond the cluster CA, Kubernetes maintains two additional CAs and a signing key pair, each for a distinct trust domain.

The etcd CA

/etc/kubernetes/pki/etcd/ca.crt      # etcd root CA
/etc/kubernetes/pki/etcd/server.crt  # etcd server cert
/etc/kubernetes/pki/etcd/peer.crt    # etcd-to-etcd replication

etcd stores every piece of cluster state. Its CA is deliberately separate — blast radius reduction.

The Front Proxy CA

For the API aggregation layer. When the API server proxies to an extension server (metrics-server), it presents the front-proxy-client cert and passes user identity via headers. The extension server trusts only the front-proxy CA. Third trust domain.

Service Account Key Pair

/etc/kubernetes/pki/sa.key    # Signs JWTs
/etc/kubernetes/pki/sa.pub    # Verifies JWTs

Not X.509. A raw key pair for signing/verifying ServiceAccount tokens (JWTs). Controller-manager signs with sa.key; API server verifies with sa.pub.

Here is every certificate and key file on a kubeadm-provisioned control-plane node:

~14 cert/key pairs + 1 SA key pair on a single control-plane node. In a 3-node HA setup: 30+ certificates.

Building a Kubernetes cluster from scratch reveals the careful choreography of PKI generation, component startup, and trust establishment. Whether you use kubeadm, kubespray, or do it the hard way, the same sequence plays out. Understanding it demystifies the ~20 files that appear in /etc/kubernetes/pki/.

The kubeadm init sequence

When you run kubeadm init, the following happens in order:

A running Kubernetes cluster is a system of cooperating components, each with a distinct role. Understanding what each does — and how they authenticate to each other — is essential for diagnosing issues and securing the cluster.

Control plane components

kube-apiserver is the central hub. Every other component communicates through it — no component talks directly to another (except etcd, which only the API server reaches). It exposes the Kubernetes API over HTTPS on port 6443, authenticates every request via client certificates or bearer tokens, and authorizes via RBAC.

etcd is the cluster’s brain — a distributed key-value store that holds all cluster state: pod specs, service definitions, secrets, configmaps, RBAC policies. It runs its own Raft consensus protocol for replication across control-plane nodes. Only the API server talks to etcd, using a separate CA for mTLS. If etcd is lost and unrecoverable, the cluster state is gone.

kube-controller-manager runs the control loops that reconcile desired state with actual state. The node controller detects unreachable nodes. The deployment controller manages ReplicaSets. The endpoint controller populates Endpoints. It also runs the CSR signing controller that signs kubelet certificate requests during TLS bootstrap.

kube-scheduler watches for newly created pods with no assigned node and selects the best node based on resource requests, affinity rules, taints, and topology. It only writes the nodeName field — the kubelet on that node then does the actual work.

Node components

kubelet is the node agent. It watches the API server for pods assigned to its node, tells the container runtime to start them, reports status back, and exposes a local HTTPS API on port 10250 (for kubectl logs, kubectl exec). It presents a client cert to the API server and a server cert to incoming connections. Both are managed via TLS bootstrap and auto-rotation.

kube-proxy runs on every node and implements Kubernetes Service networking. When you create a Service, kube-proxy programs the node’s network rules so that traffic to the Service’s ClusterIP gets load-balanced across the backing pods. It has three modes:

• iptables mode (default): Creates iptables rules for DNAT. Fast for small clusters, O(n) rule updates for n services.
• IPVS mode: Uses the kernel’s IPVS load balancer. O(1) lookups regardless of service count. Better for large clusters.
• nftables mode (1.29+): Uses nftables, the successor to iptables. Atomic rule updates, better performance.

kube-proxy authenticates to the API server via a kubeconfig with a client cert or a ServiceAccount token.

Cilium — replacing kube-proxy with eBPF

Cilium is a CNI plugin that uses eBPF (extended Berkeley Packet Filter) to implement networking, security, and observability directly in the Linux kernel. In many production clusters, Cilium replaces kube-proxy entirely.

Traditional kube-proxy operates in userspace-adjacent mode: it watches the API server for Service/Endpoint changes, then programs iptables/IPVS rules. Every packet hitting a Service IP traverses the iptables chain. Cilium takes a radically different approach:

• eBPF programs attached to network hooks: Instead of iptables rules, Cilium compiles eBPF programs that run directly in the kernel at the socket and TC (traffic control) layers. Service load-balancing happens at the socket level — the packet never even gets an iptables chain.
• Identity-based security: Cilium assigns each pod a numeric identity based on its labels, not its IP address. Network policies are enforced by identity, which survives pod restarts and IP changes. This is fundamentally more robust than IP-based firewalling.
• Hubble observability: Cilium includes Hubble, a network observability platform that gives you flow logs, service maps, and DNS-aware visibility — all powered by eBPF, with near-zero overhead.
• Transparent encryption: Cilium can encrypt all pod-to-pod traffic using WireGuard or IPsec, without a service mesh sidecar. Node-to-node tunnels are established automatically.

Cilium agents run as a DaemonSet. Each agent authenticates to the API server (via ServiceAccount token or cert) and watches Pods, Services, Endpoints, and CiliumNetworkPolicies. When you deploy Cilium with kubeProxyReplacement=true, you can skip installing kube-proxy entirely.

CoreDNS

CoreDNS provides cluster-internal DNS. When a pod looks up my-service.default.svc.cluster.local, CoreDNS resolves it to the Service’s ClusterIP. It runs as a Deployment with a ServiceAccount, watches the API server for Service and Endpoint changes, and serves DNS on the cluster DNS IP (typically 10.96.0.10). Every pod’s /etc/resolv.conf points to this IP.

Container runtime (containerd)

containerd is the container runtime that actually pulls images and runs containers. The kubelet communicates with it over a local Unix socket using the CRI (Container Runtime Interface) protocol. This connection is local (not network), so it doesn’t use TLS — it relies on filesystem permissions for security.

kubeadm manages control-plane certificates, but what about certificates your applications need? Ingress controllers need TLS certs for your domains. Internal services need certs for mTLS. This is where cert-manager comes in — the de facto standard for certificate lifecycle management in Kubernetes.

cert-manager runs as a set of controllers inside the cluster. It watches for Certificate resources you define, requests certs from configured issuers, stores them as Kubernetes Secrets, and automatically renews them before expiry.

The resource model

cert-manager introduces four key CRDs:

• Issuer / ClusterIssuer — defines where to get certs from. An ACME issuer for Let’s Encrypt, a CA issuer for self-signed, a Vault issuer for HashiCorp Vault. Issuer is namespaced; ClusterIssuer is cluster-wide.
• Certificate — declares what cert you need: domain names, duration, renewal window, which issuer to use. cert-manager creates the cert and stores it in a Secret.
• CertificateRequest — the internal representation of a CSR. You rarely create these directly.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls     # cert stored here as a Secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - example.com
    - www.example.com
  duration: 2160h                 # 90 days
  renewBefore: 360h               # renew 15 days before expiry

When this resource is created, cert-manager automatically: creates an ACME order, solves the challenge (HTTP-01 or DNS-01), submits a CSR to Let’s Encrypt, stores the signed cert + private key in the example-com-tls Secret, and renews it every 75 days. Your Ingress controller picks up the Secret and serves TLS. Zero human involvement.

Kubernetes PKI secures communication between infrastructure components. But what about the traffic between your application pods? By default, pod-to-pod traffic is unencrypted plaintext traveling over the cluster network. Anyone who compromises a node — or taps the network fabric — can read it all.

This is the problem service meshes solve. Istio, Linkerd, and Cilium extend mTLS to every pod-to-pod connection, transparently and without application code changes.

How Istio does it

1. istiod runs as the mesh’s own CA (or delegates to an external CA like Vault).
2. Each pod gets a sidecar proxy (Envoy) injected automatically. The sidecar intercepts all inbound/outbound traffic.
3. On startup, the sidecar requests a short-lived certificate from istiod via SDS (Secret Discovery Service). The cert encodes the pod’s SPIFFE identity.
4. Every connection between pods is automatically upgraded to mTLS. The sidecars handle the handshake — the application sees plain HTTP.
5. Certificates are rotated automatically, typically every 24 hours (configurable, default in Istio).

The result: every pod-to-pod connection is encrypted and mutually authenticated, with cryptographic identity tied to ServiceAccounts, and certificates that rotate on a 24-hour cadence. An attacker who compromises a pod gets a cert that’s valid for at most a day and can only identify as that specific service.

Kubernetes is deeply extensible, and every extension point that involves network communication needs certificates. The most common: admission webhooks.

When you create a ValidatingWebhookConfiguration or MutatingWebhookConfiguration, the API server needs to make HTTPS calls to your webhook server. This requires the webhook to serve TLS, and the API server needs to trust the webhook’s certificate.

Three approaches to webhook certs

• cert-manager + CA Injector: cert-manager generates the cert. The cainjector component automatically patches the webhook configuration with the correct CA bundle. This is the recommended approach.
• Self-managed: Generate a self-signed CA, create a cert, mount it in the webhook pod, and set the caBundle field in the webhook config. Works but requires manual rotation.
• Kubernetes API: Use the CertificateSigningRequest API to get the cluster CA to sign your webhook cert. The webhook config can then reference the cluster CA with no caBundle needed.

Other extension points with certificate requirements: API aggregation (custom API servers registered via APIService), CRI (container runtime interface, kubelet-to-runtime TLS), and external admission controllers (OPA Gatekeeper, Kyverno). Each needs a cert the API server trusts, and each must be rotated.

Certificate errors in Kubernetes are among the most common and most confusing operational issues. Here’s a field guide to the errors you’ll encounter and what they actually mean.

The error menagerie

Essential debug commands

# Check all control-plane cert expiry dates at a glance
kubeadm certs check-expiration

# Inspect a specific cert in detail
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout

# See what a live server presents (without trusting it)
openssl s_client -connect <api-server>:6443 -showcerts 2>/dev/null | \
  openssl x509 -text -noout

# Verify a cert was signed by a specific CA
openssl verify -CAfile /etc/kubernetes/pki/ca.crt \
  /etc/kubernetes/pki/apiserver.crt

# Check if cert and key match (compare modulus hashes)
diff <(openssl x509 -noout -modulus -in cert.crt | md5) \
     <(openssl rsa -noout -modulus -in cert.key | md5)

# View pending and approved CSRs
kubectl get csr -o wide

# Check cert-manager certificate status
kubectl get certificates -A
kubectl describe certificate <name>

# Decode a cert from a K8s secret
kubectl get secret example-tls -o jsonpath='{.data.tls\.crt}' | \
  base64 -d | openssl x509 -text -noout

That’s the complete picture. From trapdoor functions, through chains of trust, through TLS handshakes, through ACME automation, to a new Kubernetes node bootstrapping itself with nothing but a temporary token and a CA hash — and beyond, to cert-manager automating certificate lifecycle, service meshes extending mTLS to every pod, and webhook certificates securing the extension layer. Every layer built on the one below it. Every design decision motivated by a specific threat or operational reality.

Certificates aren’t magic — they’re signed documents, verified by math, organized by trust hierarchies, and automated by protocols. The complexity is the minimum machinery required to establish trust between strangers over hostile networks.