This message was deleted.

I'd like to hope there's a more obvious place, but at a minimum there's a low-level place. So that'd be something on K3S master nodes, which would be the VM's file system. It'll be under /var/lib/rancher , I think /var/lib/rancher/k3s and you may need to poke around from there. The other thing that you're going to notice is there are a lot of PKI key pairs for different services and it's been a while (and on RKE2) since I poked around similar directories and I don't recall if there's a clear "cluster CA cert pair".

All the

k3s

certs can be found here:

$ rdctl shell sudo ls /var/lib/rancher/k3s/server/tls
client-admin.crt                 client-k3s-controller.crt        etcd
client-admin.key                 client-k3s-controller.key        request-header-ca.crt
client-auth-proxy.crt            client-kube-apiserver.crt        request-header-ca.key
client-auth-proxy.key            client-kube-apiserver.key        server-ca.crt
client-ca.crt                    client-kube-proxy.crt            server-ca.key
client-ca.key                    client-kube-proxy.key            service.key
client-controller.crt            client-kubelet.key               serving-kube-apiserver.crt
client-controller.key            client-scheduler.crt             serving-kube-apiserver.key
client-k3s-cloud-controller.crt  client-scheduler.key             serving-kubelet.key
client-k3s-cloud-controller.key  dynamic-cert.json                temporary-certs

Even better