From cd5400ec6524266113d257702c9589fe5cfe3ec7 Mon Sep 17 00:00:00 2001
From: Catherine Luse <catherine.luse@gmail.com>
Date: Thu, 18 Jun 2020 00:38:57 -0700
Subject: [PATCH] Document K3s cert rotation

---
 content/k3s/latest/en/advanced/_index.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/content/k3s/latest/en/advanced/_index.md b/content/k3s/latest/en/advanced/_index.md
index d7c4c271d24..d7f0e9ba389 100644
--- a/content/k3s/latest/en/advanced/_index.md
+++ b/content/k3s/latest/en/advanced/_index.md
@@ -8,6 +8,7 @@ aliases:
 
 This section contains advanced information describing the different ways you can run and manage K3s:
 
+- [Certificate rotation](#certificate-rotation)
 - [Auto-deploying manifests](#auto-deploying-manifests)
 - [Using Docker as the container runtime](#using-docker-as-the-container-runtime)
 - [Secrets Encryption Config (Experimental)](#secrets-encryption-config-experimental)
@@ -19,6 +20,12 @@ This section contains advanced information describing the different ways you can
 - [Enabling legacy iptables on Raspbian Buster](#enabling-legacy-iptables-on-raspbian-buster)
 - [Experimental SELinux Support](#experimental-selinux-support)
 
+# Certificate Rotation
+
+By default, certificates in K3s expire in 12 months.
+
+If the certificates are expired or have fewer than 90 days remaining before they expire, the certificates are rotated when K3s is restarted.
+
 # Auto-Deploying Manifests
 
 Any file found in `/var/lib/rancher/k3s/server/manifests` will automatically be deployed to Kubernetes in a manner similar to `kubectl apply`.