OpenShift - List SSL certificates in a config map

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

A deployment can use one or more SSL certificates:

The oc get configmaps command can be used to list the config maps in a namespace.

~]$ oc get configmaps --namespace openshift-kube-apiserver-operator
NAME                                  DATA   AGE
kube-apiserver-operator-config        1      364d
kube-apiserver-operator-lock          0      364d
kube-apiserver-to-kubelet-client-ca   1      364d
kube-control-plane-signer-ca          1      364d
loadbalancer-serving-ca               1      364d
localhost-recovery-serving-ca         1      364d
localhost-serving-ca                  1      364d
node-system-admin-ca                  1      246d
service-network-serving-ca            1      364d

 

The oc describe configmap command can be used to display the public certificates in a config map.

~]$ oc describe configmap kube-apiserver-to-kubelet-client-ca --namespace openshift-kube-apiserver-operator
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIIPlAxeXxsNhMwDQYJKoZIhvcNAQELBQAwWDFWMFQGA1UE
AwxNb3BlbnNoaWZ0LWt1YmUtYXBpc2VydmVyLW9wZXJhdG9yX2t1YmUtYXBpc2Vy
dmVyLXRvLWt1YmVsZXQtc2lnbmVyQDE2MjY3MDkwNTgwHhcNMjEwNzE5MTUzN...
-----END CERTIFICATE-----

 

Here is a one line that uses OpenSSL command to display the details of the public certificate.

oc get configmaps <config map name> -n <namespace> -o yaml -o=custom-columns=":.data.ca-bundle\.crt" | openssl x509 -text -noout

 

Which should display something like this.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:00:12:de:98:f8:fa:ec:75:0d:39:27:26:fa:00:00:12:d1:98
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=foo.example.com
        Validity
            Not Before: Apr 27 12:57:49 2020 GMT
            Not After : Apr 27 12:57:49 2022 GMT
        Subject: C=US, ST=WI, L=Appleton, O=Acme, OU=Information Technology, CN=foo.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d5:28:83:30:ca:eb:5b:42:1d:49:f1:eb:73:ca:
                    ec:cc:6c:13:f5:f3:72:73:95:0a:45:8c:20:be:d4:
                    fb:c6:c9:e2:02:05:bf:9e:7d:f6:96:ed:0f:64:22:
                    29:57:68:87:88:a3:40:af:18:49:62:40:f9:b8:fc:
                    b1:ec:9f:97:c2:28:62:8c:f7:3b:13:4b:0c:04:76:
                    13:af:6d:33:27:08:3c:bd:cc:e2:a9:c9:a8:71:85:
                    82:e4:38:17:1b:2f:cf:42:30:fb:78:4a:13:c8:63:
                    cc:0c:bc:66:56:1e:33:e9:48:2e:86:98:24:61:d0:
                    4a:9e:25:6f:54:9e:d1:b2:1a:83:f3:2c:a4:c1:3c:
                    77:45:2f:6c:c1:af:e1:35:97:15:51:2d:bd:8f:52:
                    4b:8d:2a:48:47:65:90:ee:6a:27:a2:ae:96:63:a5:
                    f6:f6:62:87:f7:f7:74:9f:a3:ea:0a:db:4d:83:99:
                    3b:f2:46:22:5e:f2:32:40:07:d2:84:4c:91:a1:40:
                    7c:1c:e8:64:fa:e9:b0:62:b5:84:ab:76:6c:8c:03:
                    d9:0d:26:1e:23:bb:c0:33:12:97:79:6e:14:b8:11:
                    07:ed:9e:95:d8:bc:6f:6b:8c:6c:35:c8:4b:12:fb:
                    7d:85:78:0f:c0:d2:df:9c:d9:2b:da:ee:0e:b6:bd:
                    d3:2b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example
            X509v3 Subject Key Identifier: 
                96:16:15:4D:BF:3C:73:9E:5C:17:28:22:DE:11:81:EE:69:C6:10:E6
            X509v3 Authority Key Identifier: 
                keyid:73:BB:DE:B5:54:49:BD:F2:8C:D9:BE:17:04:94:CB:27:B5:5E:84:B9

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.example.com/certenroll/example.crl
                  
            Authority Information Access: 
                CA Issuers - URI:http://crl.example.com/certenroll/issuer.crt

            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            1.4.6.7.4.1.322.21.7: 
                0..&+.....7.....C...=...8.......>........V..d...
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            1.4.6.7.4.1.322.21.7: 
                0.0
..+.......0
..+.......
    Signature Algorithm: sha256WithRSAEncryption
         9e:07:5c:78:52:bb:ac:d9:a3:ce:43:66:cc:c2:1e:cf:af:de:
         45:ad:b1:bd:cb:1e:45:9b:4a:ae:48:03:25:81:93:1f:11:1a:
         ee:0b:c9:70:f4:d1:9d:d7:8f:02:fc:56:46:3a:5e:97:82:3e:
         7b:d7:d4:4c:96:9e:16:91:bb:d9:80:18:b7:84:bf:3f:23:b3:
         78:37:bd:fc:da:32:0d:42:1f:1f:d3:07:5a:87:f9:b6:56:dc:
         46:d3:48:a2:69:50:0e:89:6c:c4:70:c4:bf:3e:5f:d1:2a:86:
         f8:9e:27:27:a2:7f:b2:71:ca:b7:e4:73:51:2e:06:fc:0a:af:
         a9:aa:c7:c1:69:4b:78:b1:a9:10:6d:e5:d5:76:da:21:30:32:
         2e:aa:51:78:66:59:16:fe:66:4e:47:32:e9:89:91:eb:96:c6:
         c9:84:71:c0:af:ed:d6:78:aa:d1:89:b7:c4:98:2c:f4:40:03:
         13:07:1a:75:cc:f3:d0:5e:63:c2:a6:75:b7:de:14:ec:83:02:
         63:17:13:0b:c1:dc:ad:f3:29:0f:1a:4d:1e:fc:d4:15:af:ca:
         c4:78:55:f4:db:af:e0:37:cd:b3:39:f4:24:23:7b:03:f8:d3:
         2e:e8:16:0a:e9:36:e8:fc:1e:9d:40:5e:e7:77:9e:c6:a4:11:
         81:5a:19:c7

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 262cd in the box below so that we can be sure you are a human.