How to re-create kubeconfig for system:admin user in OpenShift 4 via CSR (alternate method)

Solution Verified - Updated 3 Feb 2026

Environment

Red Hat OpenShift Container Platform (RHOCP)
- 4.6+

Issue

kubeconfig file is missing and it is needed to recreate it and set client certificate authentication for system:admin.
It is possible to recreate the installation kubeconfig file in RHOCP 4?

Impossible to access the cluster with the original kubeconfig file for certificate error:

  $ oc get nodes --kubeconfig=<install directory>/auth/kubeconfig
  Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-apiserver-lb-signer")

Resolution

Note: This is not the preferred method to achieve this. This solution uses CSR and expiration period is very short, max 30 days. The recommended method is described in this solution. Alternatively, you can create custom CA and cert using How to replace the certificate authority for the installer system:admin kubeconfig in order to add you own CA and generate the system:admin certificates yourself. This solution is kept as an alternative and for illustrative purposes, but not recommended.

Note: To execute this procedure, it is necessary to have access to the cluster with an account able to approve CertificateSigningRequests(CSR) and access ServiceAccount secret tokens .

Create a certificate request for system:admin user:

$ openssl req -new -newkey rsa:4096 -nodes -keyout newauth-access.key -out newauth-access.csr -subj "/CN=system:admin"

Create the CSR resource definition:

$ cat << EOF >> newauth-access-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: newauth-access
spec:
  signerName: kubernetes.io/kube-apiserver-client
  groups:
  - system:authenticated
  request: $(cat newauth-access.csr | base64 -w0)
  usages:
  - client auth
EOF

$ oc create -f newauth-access-csr.yaml

By default, the certificate signing request created through this resource is valid for 1 month, it is possible to use the parameter expirationSeconds to change this period.

...
spec:
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  groups:
  - system:authenticated
  ...

Approve the CSR and extract the client certificate:

$ oc get csr

$ oc adm certificate approve newauth-access

$ oc get csr newauth-access -o jsonpath='{.status.certificate}' | base64 -d > newauth-access.crt

Add system:admin credentials, context to the new kubeconfig:

$ oc config set-credentials system:admin --client-certificate=newauth-access.crt --client-key=newauth-access.key --embed-certs --kubeconfig=/tmp/newkubeconfig

Create context for system:admin:

$ oc config set-context system:admin --cluster=$(oc config view -o jsonpath='{.clusters[0].name}') --namespace=default --user=system:admin --kubeconfig=/tmp/newkubeconfig

Extract certificate authority:

$ oc get secret localhost-recovery-client-token -n openshift-kube-controller-manager -ojsonpath='{.data.ca\.crt}'| base64 -d > bundle-ca.crt

If the cluster uses custom kube-apiserver certificates, append their CAs:

$ cat custom-ca.crt >> bundle-ca.crt

Set certificate authority data:

$ oc config set-cluster $(oc config view -o jsonpath='{.clusters[0].name}') --server=$(oc config view -o jsonpath='{.clusters[0].cluster.server}') --certificate-authority=bundle-ca.crt --kubeconfig=/tmp/newkubeconfig --embed-certs

Set current context to system:admin:

$ oc config use-context system:admin --kubeconfig=/tmp/newkubeconfig

Test client certificate authentication with system:admin:

$ oc --kubeconfig=/tmp/newkubeconfig get nodes 
NAME                             STATUS   ROLES    AGE   VERSION
example-69lbr-master-0       Ready    master   21d   v1.21.1+9807387
example-69lbr-master-1       Ready    master   21d   v1.21.1+9807387
example-69lbr-master-2       Ready    master   21d   v1.21.1+9807387
[...]

If you need to create a Certificate Authority please refer to this KCS article How to create a Certificate Authority for the system:admin kubeconfig.

Note: The kubeconfig file re-created with the above steps has a no more than 14-month expiration, this is because the signer expires every 14 months, and the expiration of the signer cannot be changed. This means that even if you set the expiration of the kubeconfig to any period longer than 14 months when running openssl req command with the -days option, the kubeconfig file will expire anyway as soon as the signer expired.

Diagnostic Steps

$ oc get nodes --kubeconfig=<install directory>/auth/kubeconfig
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-apiserver-lb-signer")

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.