Create Cert for KES manually self signed cert - cniackz/public GitHub Wiki

Objective:

Create self signed cert manually for KES so you can extend the expiration

Steps:

Create the private key:

openssl genrsa -out private.key 2048

cert.cnf with data from KES:

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
O = "system:nodes"
C = US
CN  = "system:node:*.kes-tenant-kes-hl-svc.default.svc.cluster.local"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = kes-tenant-kes-0.kes-tenant-kes-hl-svc.default.svc.cluster.local
DNS.2 = kes-tenant-kes-hl-svc.default.svc.cluster.local

Get CSR

openssl req -new -config cert.cnf -key private.key -out kes.csr

Encode

cat kes.csr | base64 | tr -d "\n"

Create CSR with above encoded message:

spec.expirationSeconds for as long as needed

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: kes-csr 
spec:
  expirationSeconds: 604800
  groups:
  - system:serviceaccounts
  - system:serviceaccounts:minio-operator
  - system:authenticated
  - system:nodes
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRFF6Q0NBaXNDQVFBd2JERVZNQk1HQTFVRUNnd01jM2x6ZEdWdE9tNXZaR1Z6TVFzd0NRWURWUVFHRXdKVgpVekZHTUVRR0ExVUVBd3c5YzNsemRHVnRPbTV2WkdVNktpNXJaWE10ZEdWdVlXNTBMV3RsY3kxb2JDMXpkbU11ClpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbGNpNXNiMk5oYkRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQU1SWnI2aWREcWM5eGVZWkprZEVLdXVvc1dXdjEwNzdJMHdpSnhZNzFiMitrRmpiZ2FHVQplZmtLNGlqdlBUTFlNU3JxMkpNa1RidWFYSnRqbWZhUGMvd3BJODMybkxqcWpBVExia3hwdEFLRHoyQUNiWXF4CnoxVXJteUQyRm1CUmJ5ZlRiRVloR3d2MEE1NjZBMnZHK0hLNDlUcjJNUUxPQXk5bGYwdUlSd1RWVXF3NlUrazUKQnpvMlNLTDdlTnZOb0ZCMm1TQWVmKzhUQkRLM2VNYUE3cmRmVDc4blcxVlgyNWVEUmMwRzd2SzJ1TjIxbmhwWAo5ZDV4ZGZsSTB1ZEZrUktMWkdGWmk3Z3ZXdHlGSlBwY2llc01GdzN6bzZKUSt6OHdQTHZmK3Q3RGZtUGpKTlBWCjNzSGpNT0pCRDFJekYyZFBJWDI3QXlIMjg2T2V2SkF1Yzc4Q0F3RUFBYUNCa1RDQmpnWUpLb1pJaHZjTkFRa08KTVlHQU1INHdmQVlEVlIwUkJIVXdjNEpBYTJWekxYUmxibUZ1ZEMxclpYTXRNQzVyWlhNdGRHVnVZVzUwTFd0bApjeTFvYkMxemRtTXVaR1ZtWVhWc2RDNXpkbU11WTJ4MWMzUmxjaTVzYjJOaGJJSXZhMlZ6TFhSbGJtRnVkQzFyClpYTXRhR3d0YzNaakxtUmxabUYxYkhRdWMzWmpMbU5zZFhOMFpYSXViRzlqWVd3d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBSWh0OGJ0RFg3NVQ5NjNDcllBRVA4bFJrUEF4SXF3ZGtjc0c0UGxZZ2xjQmtpbVZSYlFwWDZlMgp0a0FrWlc1SFVzV3lmbVprRXA4RXRHaWhTT2FTN1FQQ3Y2azBWY2xJR1k4KzBIbEg5RHM5bGRUcXNvbm9xNDk1ClJMSUtNZmg2bXFDakZJeHB4ZzF3cFJ5cjNmSXZzNjNjNDVaMm81ME1aU1h6ejNVY0c4RWNVejd2cm5QTnBtSnEKTHhOS0tkR1BBcG9WWGRCOWhvWkxsamthNDdDd1pDTzVHeVNJREZYMWZ2L1ExRTFjbkVDNmpnT0xieGkxZ0RQOApORW1WOU9jVU8xS0U0VGIxM2dxNmpVVXVMT1RlN2tWaDdKNk1GY1Fnd0krMndtWmNyMmdJd3ZXaDlPeTg4S2ZFCi94QzVobmdrMVdmaTNOdldQYXVpNkFZNjlaLzhhSnc9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
  username: system:serviceaccount:minio-operator:minio-operator

Apply

kubectl apply -f kes-csr.yaml

Approve

kubectl certificate approve kes-csr

Look at it

k get csr

k get csr kes-csr -o jsonpath='{.status.certificate}'| base64 -d > public.crt

Modify the secret in the cluster and add two things [copy secret, delete secret, create secret with new values]:

The private key from step 1
The public.crt from last step

apiVersion: v1
kind: Secret
metadata:
  name: kes-tenant-kes-tls
  namespace: default
  uid: 7aaf4eb4-11c8-40e9-80a3-13a42fec8187
  resourceVersion: '8653'
  creationTimestamp: '2023-01-04T02:14:18Z'
  labels:
    v1.min.io/kes: kes-tenant-kes
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"v1","data":{"private.key":"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREVXYStvblE2blBjWG0KR1NaSFJDcnJxTEZscjlkTyt5Tk1JaWNXTzlXOXZwQlkyNEdobEhuNUN1SW83ejB5MkRFcTZ0aVRKRTI3bWx5YgpZNW4yajNQOEtTUE45cHk0Nm93RXkyNU1hYlFDZzg5Z0FtMktzYzlWSzVzZzloWmdVVzhuMDJ4R0lSc0w5QU9lCnVnTnJ4dmh5dVBVNjlqRUN6Z012Wlg5TGlFY0UxVktzT2xQcE9RYzZOa2lpKzNqYnphQlFkcGtnSG4vdkV3UXkKdDNqR2dPNjNYMCsvSjF0VlY5dVhnMFhOQnU3eXRyamR0WjRhVi9YZWNYWDVTTkxuUlpFU2kyUmhXWXU0TDFyYwpoU1Q2WEluckRCY044Nk9pVVBzL01EeTczL3JldzM1ajR5VFQxZDdCNHpEaVFROVNNeGRuVHlGOXV3TWg5dk9qCm5yeVFMbk8vQWdNQkFBRUNnZ0VBRFF0d1VpRnRFY3RXMUh5alFHVFUvU2NOOGhXR2xtYTA1NS8xUE5MbzFseE0KdHJxT21DK0hFdmFZSStRUkNzbTJLb1hEc2JMZHZ6TDRLQktyN2VlRjZ5RElraXhxS1JiY0NvMkJYRzVCV1ZGcwplNUp0dUtNcmhSc0tpVndRRElJY2dtYlhjS2xPWkxMbmNxb2xCQW9LQTRVcU5hcVpndmd3MmZ0Q1E4QmdCNEFPCjNEU3dIR0U5elFYdG5XeStDZVNSeFR5QUw5aWNPZWM4L1JDckU0QlFudGhmN2laSWcybFVPSlpmVm1sWkVCOTQKazRGK3hPZTFFWVcxa3pvcmd3R3JKT2lMZG1qOVdHeDJyOGxndDVSM09KbTZ4b2hrNDBEMHRCVmY4RG1CbTRnVQpnMEdTU2o4OVc2NG9SL0ZLY1lDSDVmL1ljWDM2MUxiOVd6MmtTTFQvTVFLQmdRRGJ4MzltWkxOc09iU2tTdXlpCnppWStCRURiVUkxTFNHNk5nbG4xK3ZuclNOZno3VHlaVjJOY1dMYXQzdDdJbUE3VTh4TVNkQ1hBLzZ4T2dQcXcKQnM2WE9yN2ZPSGhpdm56L052UGo3ZVpCUm9TS0ZkR1BlRkZ3NFBMeVNqck5iQXhLcjlCZldPMDV3clYvaHNJNwpabDN3TFkvMkl4aEFoVkM0cmkxNytueEhTd0tCZ1FEa3RiZzBYUXg1V3RWeXdmeitXYk5sOUZvY2tnVHB0c2kvClYvU2NFVXU5UnpHMGttZDhLT0xER2ZVcTRCOTZsUE5ZQ24rYXJYVjRwaW1EbTVrZC9JQUZrWDhmUkpyYWswalAKMEY0U1R0VWlYTDNxVXB4bzJndE5aTkh0VlhTZkdYc2IvUmY0NFFIVkorVG5yZlFMblJzSjZlcUkvejI2a3lLRgpuZVQ5NDVXNDNRS0JnRzVRV1ZzTXlwNVU3SjNXV2FaeU1QSEo4ci9pVTdsbzFzekNrK01Lb1d6K3VCNWdncDA1CkpzOVFYQWt6cDhFcHliQUxmaFF5SmswVVIrbHpoZURhMmRGQWxGTzRwWHh5dm96ZmlWVnJzTG9zNmhQaFZibGMKbkF3N2JOWStlZnRuODFkOW5lcHQyVXkzdGFBWUJPQUp4cmJxTjZ0RS9FUk9aakQ4aENvSmxWMjNBb0dCQU1CdQpHUGVOMXFJQWlCa1BHUE5VdTdtcnQyblVmZWU2ei9zV1lRd3pEVHZMUEFvSEtLVHhyYUdrSklDWHBFUzZNR2pDCkpJMGJKdnlGS2VhK3N6emtwejZJSmFKRVVkcFlFK291RWdoclphNk13NG4xU2Y1NmZ3bjJLeDc2U0s1WWZSbVcKZ0dYNXcxWDZSQUdlZmZpTGppVndOOUplbHl4MUFaWFV2TWZWaGJMTkFvR0FlcnQ4c3RSamFxNmxsdGtBTmNTWgpuL2pRc2NtMEZRSDh6ekxLWnZ5WXFIUHZhKzFWR3h0TnRLOVVBN2oyMVZwUWc5S1F3ek5FZ1dXcmpPdkxrb2psCkEyOGtuQmh4eXdOWXBuMTFmdUFiYnFGNjRvSCtUdmVra0orNXN3UDBFaXQzdmJOb2FhdSs2Qk9BcjBQck9tVTUKeERGdnFKMzF0anJLT3hYbW9CQWdvMG89Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=","public.crt":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ0VENDQXNtZ0F3SUJBZ0lRVE9oVW5NTDRabVdSYXA1Y1VqMFBKVEFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl6TURFd05EQXhOVGMwTUZvWERUSXpNREV3TkRBeQpNVEkwTUZvd2JERUxNQWtHQTFVRUJoTUNWVk14RlRBVEJnTlZCQW9UREhONWMzUmxiVHB1YjJSbGN6RkdNRVFHCkExVUVBd3c5YzNsemRHVnRPbTV2WkdVNktpNXJaWE10ZEdWdVlXNTBMV3RsY3kxb2JDMXpkbU11WkdWbVlYVnMKZEM1emRtTXVZMngxYzNSbGNpNXNiMk5oYkRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQwpnZ0VCQU1SWnI2aWREcWM5eGVZWkprZEVLdXVvc1dXdjEwNzdJMHdpSnhZNzFiMitrRmpiZ2FHVWVma0s0aWp2ClBUTFlNU3JxMkpNa1RidWFYSnRqbWZhUGMvd3BJODMybkxqcWpBVExia3hwdEFLRHoyQUNiWXF4ejFVcm15RDIKRm1CUmJ5ZlRiRVloR3d2MEE1NjZBMnZHK0hLNDlUcjJNUUxPQXk5bGYwdUlSd1RWVXF3NlUrazVCem8yU0tMNwplTnZOb0ZCMm1TQWVmKzhUQkRLM2VNYUE3cmRmVDc4blcxVlgyNWVEUmMwRzd2SzJ1TjIxbmhwWDlkNXhkZmxJCjB1ZEZrUktMWkdGWmk3Z3ZXdHlGSlBwY2llc01GdzN6bzZKUSt6OHdQTHZmK3Q3RGZtUGpKTlBWM3NIak1PSkIKRDFJekYyZFBJWDI3QXlIMjg2T2V2SkF1Yzc4Q0F3RUFBYU9CMVRDQjBqQU9CZ05WSFE4QkFmOEVCQU1DQmFBdwpFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0V3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlJPCks3dGRNRXlKREpaVkhwWmE1K0dTUzMwYlZUQjhCZ05WSFJFRWRUQnpna0JyWlhNdGRHVnVZVzUwTFd0bGN5MHcKTG10bGN5MTBaVzVoYm5RdGEyVnpMV2hzTFhOMll5NWtaV1poZFd4MExuTjJZeTVqYkhWemRHVnlMbXh2WTJGcwpnaTlyWlhNdGRHVnVZVzUwTFd0bGN5MW9iQzF6ZG1NdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbGNpNXNiMk5oCmJEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFDL2M3MWFLS0p1VjBtd3U4MlJpOEJKZUZJVkxRZzBldjNBc2wKKzJrZ2dEdTA1VGtqeTF2WFZDVGxXRUhES0liUFdBVE93SkN5ZWhTTDVncG5DTG9teU01THQxUXUvNGZabWpaLwoxZ1FlYm9ha2xxR0IzenVjVmhCL0J3bWxvY3NvQTRWZ0FEV0Q1ZCt1WXlOMkNVK1hOaCs2Z2xzOVl4Q0JKY2tCCkV6VlM2RjdlaGl2L0dtbk5Nb2FEM3p2Sk5lRW92blZ3WWJNdVlydWJ6aFN3dnlCZHdncmFaTTZsRTlKVkViRHYKMHJlby8zUDdpUkoxSGF4WW5hYzlTeXFPSGUrdXlMR2ZDUEprZThlMHlEbC95a3k2M1BLZTJTVXhkeFNLVTE3ZAo2dWJPV2xyTG5LMUt4MG1yRUtibkE4NTBQNWpianlhS09yaVJ5c2FFZURjclJNeFdvZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"},"kind":"Secret","metadata":{"annotations":{},"creationTimestamp":"2023-01-04T01:19:08Z","labels":{"v1.min.io/kes":"kes-tenant-kes"},"managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:private.key":{},"f:public.crt":{}},"f:metadata":{"f:labels":{".":{},"f:v1.min.io/kes":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"80915286-ab13-4e3f-bc23-0d293fe271b7\"}":{}}},"f:type":{}},"manager":"minio-operator","operation":"Update","time":"2023-01-04T01:19:08Z"}],"name":"kes-tenant-kes-tls","namespace":"default","ownerReferences":[{"apiVersion":"minio.min.io/v2","blockOwnerDeletion":true,"controller":true,"kind":"Tenant","name":"kes-tenant","uid":"80915286-ab13-4e3f-bc23-0d293fe271b7"}],"resourceVersion":"1389","selfLink":"/api/v1/namespaces/default/secrets/kes-tenant-kes-tls","uid":"ab343272-d5a8-4fd4-a33d-ecb487105abe"},"type":"Opaque"}
  ownerReferences:
    - apiVersion: minio.min.io/v2
      kind: Tenant
      name: kes-tenant
      uid: 80915286-ab13-4e3f-bc23-0d293fe271b7
      controller: true
      blockOwnerDeletion: true
  managedFields:
    - manager: kubectl-client-side-apply
      operation: Update
      apiVersion: v1
      time: '2023-01-04T02:14:18Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:private.key: {}
          f:public.crt: {}
        f:metadata:
          f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
          f:labels:
            .: {}
            f:v1.min.io/kes: {}
          f:ownerReferences:
            .: {}
            k:{"uid":"80915286-ab13-4e3f-bc23-0d293fe271b7"}: {}
        f:type: {}
  selfLink: /api/v1/namespaces/default/secrets/kes-tenant-kes-tls
type: Opaque
data:
  private.key: >-
    LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREVXYStvblE2blBjWG0KR1NaSFJDcnJxTEZscjlkTyt5Tk1JaWNXTzlXOXZwQlkyNEdobEhuNUN1SW83ejB5MkRFcTZ0aVRKRTI3bWx5YgpZNW4yajNQOEtTUE45cHk0Nm93RXkyNU1hYlFDZzg5Z0FtMktzYzlWSzVzZzloWmdVVzhuMDJ4R0lSc0w5QU9lCnVnTnJ4dmh5dVBVNjlqRUN6Z012Wlg5TGlFY0UxVktzT2xQcE9RYzZOa2lpKzNqYnphQlFkcGtnSG4vdkV3UXkKdDNqR2dPNjNYMCsvSjF0VlY5dVhnMFhOQnU3eXRyamR0WjRhVi9YZWNYWDVTTkxuUlpFU2kyUmhXWXU0TDFyYwpoU1Q2WEluckRCY044Nk9pVVBzL01EeTczL3JldzM1ajR5VFQxZDdCNHpEaVFROVNNeGRuVHlGOXV3TWg5dk9qCm5yeVFMbk8vQWdNQkFBRUNnZ0VBRFF0d1VpRnRFY3RXMUh5alFHVFUvU2NOOGhXR2xtYTA1NS8xUE5MbzFseE0KdHJxT21DK0hFdmFZSStRUkNzbTJLb1hEc2JMZHZ6TDRLQktyN2VlRjZ5RElraXhxS1JiY0NvMkJYRzVCV1ZGcwplNUp0dUtNcmhSc0tpVndRRElJY2dtYlhjS2xPWkxMbmNxb2xCQW9LQTRVcU5hcVpndmd3MmZ0Q1E4QmdCNEFPCjNEU3dIR0U5elFYdG5XeStDZVNSeFR5QUw5aWNPZWM4L1JDckU0QlFudGhmN2laSWcybFVPSlpmVm1sWkVCOTQKazRGK3hPZTFFWVcxa3pvcmd3R3JKT2lMZG1qOVdHeDJyOGxndDVSM09KbTZ4b2hrNDBEMHRCVmY4RG1CbTRnVQpnMEdTU2o4OVc2NG9SL0ZLY1lDSDVmL1ljWDM2MUxiOVd6MmtTTFQvTVFLQmdRRGJ4MzltWkxOc09iU2tTdXlpCnppWStCRURiVUkxTFNHNk5nbG4xK3ZuclNOZno3VHlaVjJOY1dMYXQzdDdJbUE3VTh4TVNkQ1hBLzZ4T2dQcXcKQnM2WE9yN2ZPSGhpdm56L052UGo3ZVpCUm9TS0ZkR1BlRkZ3NFBMeVNqck5iQXhLcjlCZldPMDV3clYvaHNJNwpabDN3TFkvMkl4aEFoVkM0cmkxNytueEhTd0tCZ1FEa3RiZzBYUXg1V3RWeXdmeitXYk5sOUZvY2tnVHB0c2kvClYvU2NFVXU5UnpHMGttZDhLT0xER2ZVcTRCOTZsUE5ZQ24rYXJYVjRwaW1EbTVrZC9JQUZrWDhmUkpyYWswalAKMEY0U1R0VWlYTDNxVXB4bzJndE5aTkh0VlhTZkdYc2IvUmY0NFFIVkorVG5yZlFMblJzSjZlcUkvejI2a3lLRgpuZVQ5NDVXNDNRS0JnRzVRV1ZzTXlwNVU3SjNXV2FaeU1QSEo4ci9pVTdsbzFzekNrK01Lb1d6K3VCNWdncDA1CkpzOVFYQWt6cDhFcHliQUxmaFF5SmswVVIrbHpoZURhMmRGQWxGTzRwWHh5dm96ZmlWVnJzTG9zNmhQaFZibGMKbkF3N2JOWStlZnRuODFkOW5lcHQyVXkzdGFBWUJPQUp4cmJxTjZ0RS9FUk9aakQ4aENvSmxWMjNBb0dCQU1CdQpHUGVOMXFJQWlCa1BHUE5VdTdtcnQyblVmZWU2ei9zV1lRd3pEVHZMUEFvSEtLVHhyYUdrSklDWHBFUzZNR2pDCkpJMGJKdnlGS2VhK3N6emtwejZJSmFKRVVkcFlFK291RWdoclphNk13NG4xU2Y1NmZ3bjJLeDc2U0s1WWZSbVcKZ0dYNXcxWDZSQUdlZmZpTGppVndOOUplbHl4MUFaWFV2TWZWaGJMTkFvR0FlcnQ4c3RSamFxNmxsdGtBTmNTWgpuL2pRc2NtMEZRSDh6ekxLWnZ5WXFIUHZhKzFWR3h0TnRLOVVBN2oyMVZwUWc5S1F3ek5FZ1dXcmpPdkxrb2psCkEyOGtuQmh4eXdOWXBuMTFmdUFiYnFGNjRvSCtUdmVra0orNXN3UDBFaXQzdmJOb2FhdSs2Qk9BcjBQck9tVTUKeERGdnFKMzF0anJLT3hYbW9CQWdvMG89Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
  public.crt: >-
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ0VENDQXNtZ0F3SUJBZ0lRVE9oVW5NTDRabVdSYXA1Y1VqMFBKVEFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl6TURFd05EQXhOVGMwTUZvWERUSXpNREV3TkRBeQpNVEkwTUZvd2JERUxNQWtHQTFVRUJoTUNWVk14RlRBVEJnTlZCQW9UREhONWMzUmxiVHB1YjJSbGN6RkdNRVFHCkExVUVBd3c5YzNsemRHVnRPbTV2WkdVNktpNXJaWE10ZEdWdVlXNTBMV3RsY3kxb2JDMXpkbU11WkdWbVlYVnMKZEM1emRtTXVZMngxYzNSbGNpNXNiMk5oYkRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQwpnZ0VCQU1SWnI2aWREcWM5eGVZWkprZEVLdXVvc1dXdjEwNzdJMHdpSnhZNzFiMitrRmpiZ2FHVWVma0s0aWp2ClBUTFlNU3JxMkpNa1RidWFYSnRqbWZhUGMvd3BJODMybkxqcWpBVExia3hwdEFLRHoyQUNiWXF4ejFVcm15RDIKRm1CUmJ5ZlRiRVloR3d2MEE1NjZBMnZHK0hLNDlUcjJNUUxPQXk5bGYwdUlSd1RWVXF3NlUrazVCem8yU0tMNwplTnZOb0ZCMm1TQWVmKzhUQkRLM2VNYUE3cmRmVDc4blcxVlgyNWVEUmMwRzd2SzJ1TjIxbmhwWDlkNXhkZmxJCjB1ZEZrUktMWkdGWmk3Z3ZXdHlGSlBwY2llc01GdzN6bzZKUSt6OHdQTHZmK3Q3RGZtUGpKTlBWM3NIak1PSkIKRDFJekYyZFBJWDI3QXlIMjg2T2V2SkF1Yzc4Q0F3RUFBYU9CMVRDQjBqQU9CZ05WSFE4QkFmOEVCQU1DQmFBdwpFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0V3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlJPCks3dGRNRXlKREpaVkhwWmE1K0dTUzMwYlZUQjhCZ05WSFJFRWRUQnpna0JyWlhNdGRHVnVZVzUwTFd0bGN5MHcKTG10bGN5MTBaVzVoYm5RdGEyVnpMV2hzTFhOMll5NWtaV1poZFd4MExuTjJZeTVqYkhWemRHVnlMbXh2WTJGcwpnaTlyWlhNdGRHVnVZVzUwTFd0bGN5MW9iQzF6ZG1NdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbGNpNXNiMk5oCmJEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFDL2M3MWFLS0p1VjBtd3U4MlJpOEJKZUZJVkxRZzBldjNBc2wKKzJrZ2dEdTA1VGtqeTF2WFZDVGxXRUhES0liUFdBVE93SkN5ZWhTTDVncG5DTG9teU01THQxUXUvNGZabWpaLwoxZ1FlYm9ha2xxR0IzenVjVmhCL0J3bWxvY3NvQTRWZ0FEV0Q1ZCt1WXlOMkNVK1hOaCs2Z2xzOVl4Q0JKY2tCCkV6VlM2RjdlaGl2L0dtbk5Nb2FEM3p2Sk5lRW92blZ3WWJNdVlydWJ6aFN3dnlCZHdncmFaTTZsRTlKVkViRHYKMHJlby8zUDdpUkoxSGF4WW5hYzlTeXFPSGUrdXlMR2ZDUEprZThlMHlEbC95a3k2M1BLZTJTVXhkeFNLVTE3ZAo2dWJPV2xyTG5LMUt4MG1yRUtibkE4NTBQNWpianlhS09yaVJ5c2FFZURjclJNeFdvZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

The expectation is that once the cert is renewed manually no more kes issues:

{"message":"2023/01/04 02:23:21 http: TLS handshake error from 10.244.2.9:32816: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:23:28 http: TLS handshake error from 10.244.3.11:53456: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:23:28 http: TLS handshake error from 10.244.1.9:56722: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:23:28 http: TLS handshake error from 10.244.4.11:34152: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:23:28 http: TLS handshake error from 10.244.2.9:55300: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:23:28 http: TLS handshake error from 10.244.4.11:34160: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:24:21 http: TLS handshake error from 10.244.4.11:57746: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:25:21 http: TLS handshake error from 10.244.3.11:46140: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:26:21 http: TLS handshake error from 10.244.1.9:39912: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:26:28 http: TLS handshake error from 10.244.1.9:34282: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:26:28 http: TLS handshake error from 10.244.4.11:44194: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:26:28 http: TLS handshake error from 10.244.2.9:50250: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:26:28 http: TLS handshake error from 10.244.3.11:48754: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:26:28 http: TLS handshake error from 10.244.2.9:50260: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:27:21 http: TLS handshake error from 10.244.2.9:58644: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:27:21 http: TLS handshake error from 10.244.1.9:45242: remote error: tls: bad certificate"}
{"message":"2023/01/04 02:27:24 http: TLS handshake error from 10.244.1.9:45258: remote error: tls: bad certificate"}

and no more minio issues:

Error: Failure in periodic refresh for IAM (took 0.03s): Post "https://kes-tenant-kes-hl-svc.default.svc.cluster.local:7373/v1/key/decrypt/my-minio-key": x509: certificate has expired or is not yet valid: current time 2023-01-04T02:27:31Z is after 2023-01-04T02:12:40Z (*errors.errorString)

Correct, with new cert no more issue:

Authenticating to Hashicorp Vault 'http://vault.default.svc.cluster.local:8200' ... 
Endpoint: https://127.0.0.1:7373        https://10.244.4.16:7373      

Admin:    _     [ disabled ]
Auth:     off   [ any client can connect but policies still apply ]

Keys:     Hashicorp Vault: http://vault.default.svc.cluster.local:8200

CLI:      export KES_SERVER=https://127.0.0.1:7373
          export KES_CLIENT_KEY=<client-private-key>   // e.g. $HOME/root.key
          export KES_CLIENT_CERT=<client-certificate>  // e.g. $HOME/root.cert
          kes --help

Waiting for all MinIO sub-systems to be initialized.. lock acquired
Automatically configured API requests per node based on available memory on the system: 221
All MinIO sub-systems initialized successfully in 15.44125ms
MinIO Object Storage Server
Copyright: 2015-2023 MinIO, Inc.
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Version: RELEASE.2023-01-02T09-40-09Z (go1.19.4 linux/arm64)

Status:         4 Online, 0 Offline. 
API: https://minio.default.svc.cluster.local 
Console: https://10.244.3.12:9443 https://127.0.0.1:9443   

Documentation: https://min.io/docs/minio/linux/index.html

Conclusion:

We can renew the certificate manually when expired.