This message was deleted.

i think i found it when i run

openssl s_client -showcerts -connect rancher.cattle-system.svc.cluster.local:443

from inside another pod

The internal certs are issued by your Kubernetes cluster CA. Where the CA cert itself lives depends on how you installed Kubernetes. If you're using rke2, it's on your control plane nodes at

/var/lib/rancher/rke2/server/tls/server-ca.crt

. If you used kubeadm, it'd be in

/etc/kubernetes/pki/ca.crt

. That's all assuming you used defaults and allowed them to generate self-signed CAs, but you always have the option to provide your own CA to the installer. You can also get it by base64 decoding the value associated with

certificate-authority-data

in your kubeconfig entry for the cluster, since it's also the CA that issues the certificate for the API server.