Once the custom API certificates are configured within hostedcluster resources to replace the self-signed certificate by certificates with external signed CAs: 

$ oc get hostedcluster -n <namespace> <hosted-cluster-name> -oyaml
    configuration:
      apiServer:
        audit:
        servingCerts:
          namedCertificates:
          - names:
            - api.<domain> <---
            servingCertificate:
              name: hcp-cert

The kubeconfig present in the OCP console does not add the new configured API URL name and neither the new configured CA available in the new certificate bundle. 

The kubeconfig available in the portal always considers the information added to the hostedCluster.spec.services.service APIServer section which this represents the internal API url and not the external API where users should use to connect to the cluster: 

    services:
    - service: APIServer
      servicePublishingStrategy:
        nodePort:
          address: api.<domain> <--- 
        type: NodePort

When the same URL is configured in the both sections (configuration.apiServer and services.APIServer), an unkown authority issue is reported by the kubelet and the nodes change the status to NotReady.

Easily

1. Install a HCP reproducer
2. Configure certificates with a different CA
3. Configure the same API urls in both mentioned sections from hostedcluster resource

Kubeconfig always consider the 'internal API' url in the configurations. As customers need to connect to the cluster with the kubeconfig, it is not recommended that the users connect to the cluster using the 'API internal' url but the external API URL configured in the APIServer namedcertificates.

The kubeconfig available to download in the portal should consider the external URL configured in the namedcertificates from the portal with the appropriate CA from the namedcertificates.