OpenShift - List SSL certificates in a secret

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

A deployment can use one or more SSL certificates:

This article describes how to list the SSL certificates in secrets.

The oc get secrets command can be used to list the secrets in a namespace.

 ~]$ oc get secrets --namespace openshift-kube-apiserver-operator
NAME                                      TYPE                                  DATA   AGE
aggregator-client-signer                  kubernetes.io/tls                     2      123d
kube-apiserver-operator-serving-cert      kubernetes.io/tls                     2      124d
kube-apiserver-to-kubelet-signer          SecretTypeTLS                         2      124d
kube-control-plane-signer                 kubernetes.io/tls                     2      94d
loadbalancer-serving-signer               SecretTypeTLS                         2      124d
localhost-recovery-serving-signer         kubernetes.io/tls                     2      124d
localhost-serving-signer                  SecretTypeTLS                         2      124d
next-bound-service-account-signing-key    Opaque                                2      124d
node-system-admin-client                  kubernetes.io/tls                     2      124d
node-system-admin-signer                  kubernetes.io/tls                     2      124d
service-network-serving-signer            SecretTypeTLS                         2      124d

 

The -o yaml or -o json options can be used to display the YAML or JSON details of the secret. Notice that the "tls.crt" and "tls.key" keys contains a string alphanumeric characters. This is normal, because the secret value is base64 encoded.

~]$ oc get secrets service-network-serving-signer --namespace openshift-kube-apiserver-operator -o yaml
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURURENDQWpTZ0F3SUJBZ0lJQ1lTR0pMNHdVaWd3RFFZSktvWklodmN...
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMzgwWHNkVVAvK1RHaUZGRSszOGJ6U2N...

 

On a Linux system, the base64 command can be used to decode the value, which should display the details of the certificate.

~]$ echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJS0t3QWNUajMrR..." | base64 --decode | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2930717943798429805 (0x28ac007138f7f86d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openshift-service-serving-signer@1626455578
        Validity
            Not Before: Jul 16 17:12:57 2021 GMT
            Not After : Sep 14 17:12:58 2023 GMT

 

Or, here is a oneliner.

oc get secret -n <namespace> <secret name> -o yaml -o custom-columns=":.data.tls\.crt" | tail -1 | base64 -d | openssl x509 -noout -text

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 22860 in the box below so that we can be sure you are a human.