Merge pull request #66117 from bergerhoffer/OCPBUGS-20101

OCPBUGS#20101: Adding info on kubelet CA certs

Author: bergerhoffer

security/certificate_types_descriptions/node-certificates.adoc

@@ -8,12 +8,31 @@ toc::[]
 
 == Purpose
 
-Node certificates are signed by the cluster; they come from a certificate authority (CA) that is generated by the bootstrap process. After the cluster is installed, the node certificates are auto-rotated.
+Node certificates are signed by the cluster and allow the kubelet to communicate with the Kubernetes API server. They come from the kubelet CA certificate, which is generated by the bootstrap process.
+
+== Location
+
+The kubelet CA certificate is located in the `kube-apiserver-to-kubelet-signer` secret in the `openshift-kube-apiserver-operator` namespace.
 
 == Management
 
 These certificates are managed by the system and not the user.
 
+== Expiration
+
+Node certificates are automatically rotated after 292 days and expire after 365 days.
+
+== Renewal
+
+The Kubernetes API Server Operator automatically generates a new `kube-apiserver-to-kubelet-signer` CA certificate at 292 days. The old CA certificate is removed after 365 days. Nodes are not rebooted when a kubelet CA certificate is renewed or removed.
+
+Cluster administrators can manually renew the kubelet CA certificate by running the following command:
+
+[source,terminal]
+----
+$ oc annotate -n openshift-kube-apiserver-operator secret kube-apiserver-to-kubelet-signer auth.openshift.io/certificate-not-after-
+----
+
 [discrete]
 [role="_additional-resources"]
 == Additional resources