diff --git a/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
index 7e22bc1b34..742251f9a0 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
@@ -36,13 +36,19 @@ Kubernetes 项目建议及时升级到最新的补丁版本,并确保你正在
<!--
You should be familiar with [PKI certificates and requirements in Kubernetes](/docs/setup/best-practices/certificates/).
+You should be familiar with how to pass a [configuration](/docs/reference/config-api/kubeadm-config.v1beta4/) file to the kubeadm commands.
+-->
+你应该熟悉 [Kubernetes 中的 PKI 证书和要求](/zh-cn/docs/setup/best-practices/certificates/)。
+
+你应该熟悉如何将一个[配置](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta4/)文件传递给
+kubeadm 命令。
+
+<!--
This guide covers the usage of the `openssl` command (used for manual certificate signing,
if you choose that approach), but you can use your preferred tools.
Some of the steps here use `sudo` for administrator access. You can use any equivalent tool.
-->
-你应该熟悉 [Kubernetes 中的 PKI 证书和要求](/zh-cn/docs/setup/best-practices/certificates/)。
-
本指南将介绍如何使用 `openssl` 命令(用于手动证书签名),但你可以使用你喜欢的工具。
这里的一些步骤使用 `sudo` 来获取管理员访问权限。你可以使用任何等效的工具。
@@ -78,6 +84,66 @@ and kubeadm will use this CA for signing the rest of the certificates.
例如,这意味着你可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt` 和
`/etc/kubernetes/pki/ca.key` 中,而 kubeadm 将使用此 CA 对其余证书进行签名。
+<!--
+## Choosing an encryption algorithm {#choosing-encryption-algorithm}
+
+kubeadm allows you to choose an encryption algorithm that is used for creating
+public and private keys. That can be done by using the `encryptionAlgorithm` field of the
+kubeadm configuration:
+-->
+## 选择加密算法 {#choosing-encryption-algorithm}
+
+kubeadm 允许你选择用于创建公钥和私钥的加密算法。这可以通过使用
+kubeadm 配置中的 `encryptionAlgorithm` 字段来实现。
+
+```yaml
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: ClusterConfiguration
+encryptionAlgorithm: <ALGORITHM>
+```
+
+<!--
+`<ALGORITHM>` can be one of `RSA-2048` (default), `RSA-3072`, `RSA-4096` or `ECDSA-P256`.
+-->
+`<ALGORITHM>` 可以是 `RSA-2048`(默认)、`RSA-3072`、`RSA-4096`
+或 `ECDSA-P256` 之一。
+
+<!--
+## Choosing certificate validity period {#choosing-cert-validity-period}
+
+kubeadm allows you to choose the validity period of CA and leaf certificates.
+That can be done by using the `certificateValidityPeriod` and `caCertificateValidityPeriod`
+fields of the kubeadm configuration:
+-->
+## 选择证书有效期 {#choosing-cert-validity-period}
+
+kubeadm 允许你选择 CA 和 leaf 证书的有效期。
+这可以通过使用 kubeadm 配置的 `certificateValidityPeriod` 和 `caCertificateValidityPeriod`
+字段来完成:
+
+<!--
+```yaml
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: ClusterConfiguration
+certificateValidityPeriod: 8760h # Default: 365 days × 24 hours = 1 year
+caCertificateValidityPeriod: 87600h # Default: 365 days × 24 hours * 10 = 10 years
+```
+-->
+```yaml
+apiVersion: kubeadm.k8s.io/v1beta4
+kind: ClusterConfiguration
+certificateValidityPeriod: 8760h # 默认:365 天 × 24 小时 = 1 年
+caCertificateValidityPeriod: 87600h # 默认:365 天 × 24 小时 * 10 = 10 年
+```
+
+<!--
+The values of the fields follow the accepted format for
+[Go's `time.Duration` values](https://pkg.go.dev/time#ParseDuration), with the longest supported
+unit being `h` (hours).
+-->
+字段的值遵循 [Go 语言的 `time.Duration` 格式](https://pkg.go.dev/time#ParseDuration),
+支持的最长单位为 `h`(小时)。
+
<!--
## External CA mode {#external-ca-mode}
@@ -178,7 +244,8 @@ Alternatively, it is possible to use kubeadm phase commands to automate this pro
仅在将执行 `kubeadm init` 的第一个节点上需要此文件。
- 请注意,一些文件如 `pki/sa.*`、`pki/front-proxy-ca.*` 和 `pki/etc/ca.*`
在控制平面各节点上是相同的,你可以一次性生成它们并[手动将其分发](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/#manual-certs)到将执行
- `kubeadm join` 的节点,或者你可以使用 `kubeadm init` 的 [`--upload-certs`](/zh-cn/docs/setup/product-environment/tools/kubeadm/high-availability/#stacked-control-plane-and-etcd-nodes)
+ `kubeadm join` 的节点,或者你可以使用 `kubeadm init` 的
+ [`--upload-certs`](/zh-cn/docs/setup/product-environment/tools/kubeadm/high-availability/#stacked-control-plane-and-etcd-nodes)
和 `kubeadm join` 的 `--certificate-key` 特性来执行自动分发。
<!--
@@ -443,7 +510,7 @@ If you're creating a new cluster, you can use a kubeadm
[configuration file](/docs/reference/config-api/kubeadm-config.v1beta4/):
-->
如果你正在创建一个新的集群,你可以使用 kubeadm
-的[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta4/)。
+的[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta4/):
```yaml
apiVersion: kubeadm.k8s.io/v1beta4
@@ -459,7 +526,7 @@ controllerManager:
<!--
### Create certificate signing requests (CSR)
-->
-### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr}
+### 创建证书签名请求(CSR) {#create-certificate-signing-requests-csr}
<!--
See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatessigningrequest)
@@ -618,9 +685,8 @@ If you are looking for a solution for automatic approval of these CSRs it is rec
that you contact your cloud provider and ask if they have a CSR signer that verifies
the node identity with an out of band mechanism.
-->
-如果你在寻找一种能够自动批准这些 CSR 的解决方案,建议你与你的云提供商
-联系,询问他们是否有 CSR 签名组件,用来以带外(out-of-band)的方式检查
-节点的标识符。
+如果你在寻找一种能够自动批准这些 CSR 的解决方案,建议你与你的云提供商联系,
+询问他们是否有 CSR 签名组件,用来以带外(out-of-band)的方式检查节点的标识符。
{{% thirdparty-content %}}
@@ -911,7 +977,8 @@ on secondary control plane and on workers nodes (all nodes that call `kubeadm jo
That is because the active kube-controller-manager will be responsible
for signing new kubelet client certificates.
-->
-请注意,这也意味着自动 [kubelet 客户端证书轮换](/zh-cn/docs/tasks/tls/certificate-rotation/#enabling-client-certificate-rotation)将被禁用。
+请注意,这也意味着自动
+[kubelet 客户端证书轮换](/zh-cn/docs/tasks/tls/certificate-rotation/#enabling-client-certificate-rotation)将被禁用。
如果是这样,在证书即将到期时,你必须生成新的 `kubelet.conf.csr`,签署证书,
将其嵌入到 `kubelet.conf` 中并重新启动 kubelet。
@@ -959,8 +1026,8 @@ Based on the explanation in
[Considerations for kubelet.conf](#considerations-kubelet-conf) keep or delete
the `kubelet.conf` and `kubelet.conf.csr` files.
-->
-如果要使用外部 etcd,请阅读 [kubeadm 使用外部 etcd](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/#external-etcd-nodes)指南了解
-kubeadm 和 etcd 节点上需要哪些 CSR 文件。
+如果要使用外部 etcd,请阅读 [kubeadm 使用外部 etcd](/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/#external-etcd-nodes)
+指南了解 kubeadm 和 etcd 节点上需要哪些 CSR 文件。
你可以删除 `/etc/kubernetes/pki/etcd` 下的其他 `.csr` 和 `.key` 文件。
根据 [kubelet.conf 的注意事项](#considerations-kubelet-conf)中的说明,
@@ -1034,12 +1101,45 @@ present in the `/etc/kubernetes` tree.
<!--
```bash
+#!/bin/bash
+
# Set certificate expiration time in days
+DAYS=365
+
# Process all CSR files except those for front-proxy and etcd
-# Trim the extension
+find ./ -name "*.csr" | grep -v "pki/etcd" | grep -v "front-proxy" | while read -r FILE;
+do
+ echo "* Processing ${FILE} ..."
+ FILE=${FILE%.*} # Trim the extension
+ if [ -f "./pki/ca.srl" ]; then
+ SERIAL_FLAG="-CAserial ./pki/ca.srl"
+ else
+ SERIAL_FLAG="-CAcreateserial"
+ fi
+ openssl x509 -req -days "${DAYS}" -CA ./pki/ca.crt -CAkey ./pki/ca.key ${SERIAL_FLAG} \
+ -in "${FILE}.csr" -out "${FILE}.crt"
+ sleep 2
+done
+
# Process all etcd CSRs
-# Trim the extension
+find ./pki/etcd -name "*.csr" | while read -r FILE;
+do
+ echo "* Processing ${FILE} ..."
+ FILE=${FILE%.*} # Trim the extension
+ if [ -f "./pki/etcd/ca.srl" ]; then
+ SERIAL_FLAG=-CAserial ./pki/etcd/ca.srl
+ else
+ SERIAL_FLAG=-CAcreateserial
+ fi
+ openssl x509 -req -days "${DAYS}" -CA ./pki/etcd/ca.crt -CAkey ./pki/etcd/ca.key ${SERIAL_FLAG} \
+ -in "${FILE}.csr" -out "${FILE}.crt"
+done
+
# Process front-proxy CSRs
+echo "* Processing ./pki/front-proxy-client.csr ..."
+openssl x509 -req -days "${DAYS}" -CA ./pki/front-proxy-ca.crt -CAkey ./pki/front-proxy-ca.key -CAcreateserial \
+ -in ./pki/front-proxy-client.csr -out ./pki/front-proxy-client.crt
+```
-->
```bash
#!/bin/bash