kubectl openssl: Debugging Kubernetes TLS Certificates Fast

When Kubernetes security and TLS certificates collide, kubectl and openssl become the sharpest tools you own. kubectl lets you reach deep inside your cluster. openssl lets you inspect, verify, and debug certificates before they break production. Combined, they cut straight to the truth.

Why “kubectl openssl” matters
TLS and mTLS are everywhere in Kubernetes—API servers, ingress controllers, service-to-service communication. If a certificate expires or misconfigures, your pods will stop talking. You can pull the certs from the cluster with kubectl and check them instantly with openssl. No UI, no guessing, no delay.

Pulling a certificate from a secret

kubectl get secret my-tls-secret -o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt

This gives you the raw certificate file. From here, openssl x509 -in tls.crt -noout -text shows the issuer, subject, and expiration date.

Inspecting a live service certificate

openssl s_client -connect myservice.namespace.svc.cluster.local:443 -showcerts

Combine this with kubectl port-forward to inspect a pod from your local machine without exposing it externally.

Debugging mTLS in cluster

1. Verify the client cert with openssl verify -CAfile ca.crt client.crt.
2. Check SAN fields to ensure DNS names match Kubernetes service names.
3. Cross-check expiration across all mTLS pairs.

When “kubectl openssl” workflows are in place, you remove TLS guesswork. You see the cert in full. You verify it at the source. You can resolve outages before they hit users.

Run these commands today on a staging cluster. Get the muscle memory. Certificates fail quietly—your response shouldn’t be quiet.

See a live, working example in minutes at hoop.dev, and connect to your Kubernetes cluster securely without writing a single script.