Harden cluster ca certificate and leaf certificates

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: 1.24.9
Cloud being used: bare-metal
Installation method: hyperkube
Host OS: suse linux
CNI and version: canal
CRI and version: docker

we have some security requirements:

  1. currently the kubernetes root CA TTL >= 10 years but key length is 2048. we want bit length >3000 for certificates having TTL >10 years
    1.a is there any way to set the TTL value for k8s root CA?
    1.b is there any way to set the RSA key length for k8s root CA?
  2. is there any way to store k8s root CA private key in a secure place like HSM?
  3. is there way to set TTL for kubelet and api-server certificate to 1 year. currently it’s 10 years.
  4. is there any way to set TTL for scheduler and controller ?

the above requirements are even related to other deployment methods (like kubeadm). it’s a very generic question, so i have not provided much details on the environment setup.

please let me know if any more information required.