There is a certificate in OpenShift known as the Service CA. The Service CA certificate is a root Certificate Authority used to issue client certificates. The Service CA certificate is valid for 26 months, and is automatically renewed 13 months before it expires.

The Service CA certificate is stored in the secret named signing-key in the openshift-service-ca namespace.

~]$ oc get secrets signing-key --namespace openshift-service-ca
NAME                         TYPE                                  DATA   AGE
signing-key                  kubernetes.io/tls                     2      124d

This oneliner will display the details of the Service CA certificate.

~]$ oc get secrets signing-key --namespace openshift-service-ca --output jsonpath="{.data.tls\.crt}" | base64 --decode | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7955613061684269241 (0x6e6803edd02610b9)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openshift-service-serving-signer@1601480541
        Validity
            Not Before: Oct 30 15:45:23 2021 GMT
            Not After : Dec 29 15:45:24 2023 GMT
        Subject: CN=openshift-service-serving-signer@1601480541

Secure Route with the Service CA

By default, a route created with the oc create route command will use the Service CA certificate to secure the route.

~]$ oc create route reencrypt my-route --service my-service
route.route.openshift.io/my-route created

This one liner can be used to display details of the certificate being used to secure the route which shows that the Service CA certificate is being used to secure the route.

~]$ oc get route my-route --output jsonpath={.spec.tls.certificate} | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7955613061684269241 (0x6e6803edd02610b9)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openshift-service-serving-signer@1601480541
        Validity
            Not Before: Oct 30 15:45:23 2021 GMT
            Not After : Dec 29 15:45:24 2023 GMT
        Subject: CN=openshift-service-serving-signer@1601480541

A service can be configured with a certificate issued by the Service CA. In this example, foo-service is configured with a certificate issued by the Service CA.

oc annotate service foo-service service.beta.openshift.io/serving-cert-secret-name=foo-certificate

The oc describe service command can be used to show the details of the service. Annotations should show that the foo-certificate secret has been signed by the Service CA.

~]$ oc describe service foo-service
Annotations:              service.beta.openshift.io/serving-cert-secret-name: foo-certificate
                          service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1626455578

TLS Secrets

The oc get secrets command can be used to list the secrets. Secrets with type kubernetes.io/tls contain a public/private keypair.

 ~]$ oc get secrets --all-namespaces
NAMESPACE    NAME         TYPE                 DATA    AGE
foo          my-secret    kubernetes.io/tls    2       123d
bar          my-secret    kubernetes.io/tls    2       123d

The --output yaml or --output json options can be used to display the YAML or JSON details of the secret. Notice that the "tls.crt" and "tls.key" keys contains a string alphanumeric characters. This is normal, because the secret value is base64 encoded.

~]$ oc get secrets foo-certificate -o yaml
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURURENDQWpTZ0F3SUJBZ0lJQ1lTR0pMNHdVaWd3RFFZSktvWklodmN...
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMzgwWHNkVVAvK1RHaUZGRSszOGJ6U2N...

On a Linux system, the base64 command can be used to decode the value, which should display the details of the certificate. Notice the service is issued by openshift-service-serving-signer (the Service CA certificate). The issued certificate should have the same validity dates as the Service CA.

~]$ oc get secret foo-certificate -o yaml -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 --decode | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2930717943798429805 (0x28ac007138f7f86d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openshift-service-serving-signer@1626455578
        Validity
            Not Before: Jul 16 17:12:57 2021 GMT
            Not After : Sep 14 17:12:58 2023 GMT

Service CA Renewal

Let's say the Service CA certifiate is renewed. This will not renew the certificates that were issued by the Service CA in the secrets. However, deleting the secret will cause a new secret to be recreated.

~]$ oc delete secret foo-certificate
secret "foo-certificate" deleted

The recreated secret will contain a fresh certificate issued by the Service CA. Notice that the age of the recreated secret is 9 seconds, meaning the secret was recreated.

 ~]$ oc get secrets
NAME                             TYPE                                  DATA   AGE
foo-certificate                  kubernetes.io/tls                     2      9s