1. Proposed title of this feature request
[RFE] Replace trust Certificate for kube-apiserver

2. What is the nature and description of the request?
Follow the document we can add trust Certificate on kube-apiserver
https://docs.openshift.com/container-platform/4.10/security/certificates/api-server.html

after do the config, verify it successfully

1. curl -vk https://api.ocp4.nielasaran.com:6443

• Server certificate:
• subject: O=Local Cert; CN=api.ocp4.nielasaran.com
• start date: Jul 28 05:17:20 2022 GMT
• expire date: Jul 4 05:17:20 2122 GMT
• issuer: CN=Local Red Hat Ren Signer
• SSL certificate verify ok.

It's looks we can add trust certs by FQDN, but the customer want to replace the trust certs for ip, after add the trust certs, we try to curl master node ip

1. curl -vk https://192.168.1.203:6443

• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: CN=172.30.0.1
• start date: Jul 26 10:29:13 2022 GMT
• expire date: Aug 25 10:29:14 2022 GMT
• issuer: OU=openshift; CN=kube-apiserver-service-network-signer
• SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

the certs sill used self sign certs.

The customer want to we can reply the result like below

1. curl -vk https://<master_node_ip>:6443

• Server certificate:
• subject: O=Local Cert; CN=api.ocp4.nielasaran.com
• start date: Jul 28 05:17:20 2022 GMT
• expire date: Jul 4 05:17:20 2122 GMT
• issuer: CN=Local Red Hat Ren Signer
• SSL certificate verify ok.

But there is no method to accomplish,

3. Why does the customer need this? (List the business requirements here)
This is a bank account user, them had high level security request, them said the ocp certs must to pass them scan tools

4. List any affected packages or components.
none