OpenShift - List SSL certificates in a secret

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

A deployment can use one or more SSL certificates:

This article describes how to list the SSL certificates in secrets.

The oc get secrets command can be used to list the secrets in a namespace.

 ~]$ oc get secrets --namespace openshift-kube-apiserver-operator
NAME                                      TYPE                                  DATA   AGE
aggregator-client-signer                             2      123d
kube-apiserver-operator-serving-cert                     2      124d
kube-apiserver-to-kubelet-signer          SecretTypeTLS                         2      124d
kube-control-plane-signer                            2      94d
loadbalancer-serving-signer               SecretTypeTLS                         2      124d
localhost-recovery-serving-signer                     2      124d
localhost-serving-signer                  SecretTypeTLS                         2      124d
next-bound-service-account-signing-key    Opaque                                2      124d
node-system-admin-client                             2      124d
node-system-admin-signer                             2      124d
service-network-serving-signer            SecretTypeTLS                         2      124d


The -o yaml or -o json options can be used to display the YAML or JSON details of the secret. Notice that the "tls.crt" and "tls.key" keys contains a string alphanumeric characters. This is normal, because the secret value is base64 encoded.

~]$ oc get secrets service-network-serving-signer --namespace openshift-kube-apiserver-operator -o yaml
apiVersion: v1


On a Linux system, the base64 command can be used to decode the value, which should display the details of the certificate.

~]$ echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJS0t3QWNUajMrR..." | base64 --decode | openssl x509 -text -noout
        Version: 3 (0x2)
        Serial Number: 2930717943798429805 (0x28ac007138f7f86d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openshift-service-serving-signer@1626455578
            Not Before: Jul 16 17:12:57 2021 GMT
            Not After : Sep 14 17:12:58 2023 GMT


Or, here is a oneliner.

oc get secret -n <namespace> <secret name> -o yaml -o custom-columns="\.crt" | tail -1 | base64 -d | openssl x509 -noout -text


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 22860 in the box below so that we can be sure you are a human.