Document URL: 
https://docs.openshift.com/container-platform/4.1/authentication/certificates/api-server.html#add-default-api-server_api-server-certificates

Section Number and Name: 

    Add an API server default certificate
    Add an API server named certificate

Describe the issue: 

If you follow these and replace the API server default certificate or set a named cert for the internal master api url you will break your cluster unless you add the CA  that signed that cert to the cluster first. 

I believe to add the CA it would go would go here: 

#  oc get -n kube-system cm root-ca --template='{{index .data "ca.crt"}}'

This however will trigger a rolling restart of the node and other objects. 


Suggestions for improvement: 


- Add warning that if this is change and the ca is not part of trust then your cluster will break. 
        - Steps to recover 

- Add steps on adding to your root trust before following these steps. 
     - Add warning that updating the ca trust for the cluster will trigger restarts for all hosts.
 
- Add warning that when adding API server named certificate that you should not set this for the internal openshift master api hostname
   - How do you confirm what that "internal openshift master api hostname" is?
      - I think its this but this likely should not be overwriten with a cert. What are the steps needed to add a public url and then add you namedcert for to the master api.  
                
        $ cluster-info 
        Kubernetes master is running at https://api.master.openshift.com:6443