diff --git a/pkg/kubelet/certificate/bootstrap/BUILD b/pkg/kubelet/certificate/bootstrap/BUILD
index 3d12e166a41..05d24e0c0f4 100644
--- a/pkg/kubelet/certificate/bootstrap/BUILD
+++ b/pkg/kubelet/certificate/bootstrap/BUILD
@@ -22,7 +22,6 @@ go_library(
     srcs = ["bootstrap.go"],
     importpath = "k8s.io/kubernetes/pkg/kubelet/certificate/bootstrap",
     deps = [
-        "//pkg/kubelet/util/csr:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
@@ -32,6 +31,7 @@ go_library(
         "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
         "//vendor/k8s.io/client-go/transport:go_default_library",
         "//vendor/k8s.io/client-go/util/cert:go_default_library",
+        "//vendor/k8s.io/client-go/util/certificate/csr:go_default_library",
     ],
 )
 
diff --git a/pkg/kubelet/certificate/bootstrap/bootstrap.go b/pkg/kubelet/certificate/bootstrap/bootstrap.go
index 2a954332d27..d123c0beee5 100644
--- a/pkg/kubelet/certificate/bootstrap/bootstrap.go
+++ b/pkg/kubelet/certificate/bootstrap/bootstrap.go
@@ -32,7 +32,7 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/client-go/transport"
 	certutil "k8s.io/client-go/util/cert"
-	"k8s.io/kubernetes/pkg/kubelet/util/csr"
+	"k8s.io/client-go/util/certificate/csr"
 )
 
 const (
diff --git a/pkg/kubelet/util/BUILD b/pkg/kubelet/util/BUILD
index a51fc6daea0..fdb78bddfba 100644
--- a/pkg/kubelet/util/BUILD
+++ b/pkg/kubelet/util/BUILD
@@ -53,7 +53,6 @@ filegroup(
     srcs = [
         ":package-srcs",
         "//pkg/kubelet/util/cache:all-srcs",
-        "//pkg/kubelet/util/csr:all-srcs",
         "//pkg/kubelet/util/format:all-srcs",
         "//pkg/kubelet/util/ioutils:all-srcs",
         "//pkg/kubelet/util/queue:all-srcs",
diff --git a/staging/src/k8s.io/client-go/util/certificate/BUILD b/staging/src/k8s.io/client-go/util/certificate/BUILD
index 6903afd3bb2..f10a2d9e21e 100644
--- a/staging/src/k8s.io/client-go/util/certificate/BUILD
+++ b/staging/src/k8s.io/client-go/util/certificate/BUILD
@@ -38,7 +38,6 @@ go_library(
     importpath = "k8s.io/client-go/util/certificate",
     tags = ["automanaged"],
     deps = [
-        "//pkg/kubelet/util/csr:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
         "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
@@ -46,6 +45,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
         "//vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
         "//vendor/k8s.io/client-go/util/cert:go_default_library",
+        "//vendor/k8s.io/client-go/util/certificate/csr:go_default_library",
     ],
 )
 
@@ -58,7 +58,10 @@ filegroup(
 
 filegroup(
     name = "all-srcs",
-    srcs = [":package-srcs"],
+    srcs = [
+        ":package-srcs",
+        "//staging/src/k8s.io/client-go/util/certificate/csr:all-srcs",
+    ],
     tags = ["automanaged"],
     visibility = ["//visibility:public"],
 )
diff --git a/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go b/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
index 22b14f363d3..e27966f5e1b 100644
--- a/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
+++ b/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go
@@ -35,7 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
 	"k8s.io/client-go/util/cert"
-	"k8s.io/kubernetes/pkg/kubelet/util/csr"
+	"k8s.io/client-go/util/certificate/csr"
 )
 
 // certificateWaitBackoff controls the amount and timing of retries when the
diff --git a/pkg/kubelet/util/csr/BUILD b/staging/src/k8s.io/client-go/util/certificate/csr/BUILD
similarity index 91%
rename from pkg/kubelet/util/csr/BUILD
rename to staging/src/k8s.io/client-go/util/certificate/csr/BUILD
index 78c435528b5..c6def5bbf0c 100644
--- a/pkg/kubelet/util/csr/BUILD
+++ b/staging/src/k8s.io/client-go/util/certificate/csr/BUILD
@@ -9,9 +9,8 @@ load(
 go_library(
     name = "go_default_library",
     srcs = ["csr.go"],
-    importpath = "k8s.io/kubernetes/pkg/kubelet/util/csr",
+    importpath = "k8s.io/client-go/util/certificate/csr",
     deps = [
-        "//pkg/apis/certificates/v1beta1:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
         "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
@@ -43,7 +42,7 @@ filegroup(
 go_test(
     name = "go_default_test",
     srcs = ["csr_test.go"],
-    importpath = "k8s.io/kubernetes/pkg/kubelet/util/csr",
+    importpath = "k8s.io/client-go/util/certificate/csr",
     library = ":go_default_library",
     deps = [
         "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
diff --git a/pkg/kubelet/util/csr/csr.go b/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
similarity index 93%
rename from pkg/kubelet/util/csr/csr.go
rename to staging/src/k8s.io/client-go/util/certificate/csr/csr.go
index 53b67f8650e..22112a5b5b6 100644
--- a/pkg/kubelet/util/csr/csr.go
+++ b/staging/src/k8s.io/client-go/util/certificate/csr/csr.go
@@ -19,14 +19,15 @@ package csr
 import (
 	"crypto"
 	"crypto/sha512"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
+	"github.com/golang/glog"
 	"reflect"
 	"time"
 
-	"github.com/golang/glog"
-
 	certificates "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -38,7 +39,6 @@ import (
 	certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
 	"k8s.io/client-go/tools/cache"
 	certutil "k8s.io/client-go/util/cert"
-	certhelper "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
 )
 
 // RequestNodeCertificate will create a certificate signing request for a node
@@ -200,11 +200,11 @@ func digestedName(privateKeyData []byte, subject *pkix.Name, usages []certificat
 
 // ensureCompatible ensures that a CSR object is compatible with an original CSR
 func ensureCompatible(new, orig *certificates.CertificateSigningRequest, privateKey interface{}) error {
-	newCsr, err := certhelper.ParseCSR(new)
+	newCsr, err := ParseCSR(new)
 	if err != nil {
 		return fmt.Errorf("unable to parse new csr: %v", err)
 	}
-	origCsr, err := certhelper.ParseCSR(orig)
+	origCsr, err := ParseCSR(orig)
 	if err != nil {
 		return fmt.Errorf("unable to parse original csr: %v", err)
 	}
@@ -244,3 +244,18 @@ func formatError(format string, err error) error {
 	}
 	return fmt.Errorf(format, err)
 }
+
+// ParseCSR extracts the CSR from the API object and decodes it.
+func ParseCSR(obj *certificates.CertificateSigningRequest) (*x509.CertificateRequest, error) {
+	// extract PEM from request object
+	pemBytes := obj.Spec.Request
+	block, _ := pem.Decode(pemBytes)
+	if block == nil || block.Type != "CERTIFICATE REQUEST" {
+		return nil, fmt.Errorf("PEM block type must be CERTIFICATE REQUEST")
+	}
+	csr, err := x509.ParseCertificateRequest(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	return csr, nil
+}
diff --git a/pkg/kubelet/util/csr/csr_test.go b/staging/src/k8s.io/client-go/util/certificate/csr/csr_test.go
similarity index 100%
rename from pkg/kubelet/util/csr/csr_test.go
rename to staging/src/k8s.io/client-go/util/certificate/csr/csr_test.go