There is a certificate in OpenShift known as the Service CA. The Service CA certificate is a root Certificate Authority used to issue client certificates. The Service CA certificate is valid for 26 months, and is automatically renewed 13 months before it expires.
The Service CA certificate is stored in the secret named signing-key in the openshift-service-ca namespace.
~]$ oc get secrets signing-key --namespace openshift-service-ca
NAME TYPE DATA AGE
signing-key kubernetes.io/tls 2 124d
This oneliner will display the details of the Service CA certificate.
~]$ oc get secrets signing-key --namespace openshift-service-ca --output jsonpath="{.data.tls\.crt}" | base64 --decode | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7955613061684269241 (0x6e6803edd02610b9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=openshift-service-serving-signer@1601480541
Validity
Not Before: Oct 30 15:45:23 2021 GMT
Not After : Dec 29 15:45:24 2023 GMT
Subject: CN=openshift-service-serving-signer@1601480541
Secure Route with the Service CA
By default, a route created with the oc create route command will use the Service CA certificate to secure the route.
~]$ oc create route reencrypt my-route --service my-service
route.route.openshift.io/my-route created
This one liner can be used to display details of the certificate being used to secure the route which shows that the Service CA certificate is being used to secure the route.
~]$ oc get route my-route --output jsonpath={.spec.tls.certificate} | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7955613061684269241 (0x6e6803edd02610b9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=openshift-service-serving-signer@1601480541
Validity
Not Before: Oct 30 15:45:23 2021 GMT
Not After : Dec 29 15:45:24 2023 GMT
Subject: CN=openshift-service-serving-signer@1601480541
A service can be configured with a certificate issued by the Service CA. In this example, foo-service is configured with a certificate issued by the Service CA.
oc annotate service foo-service service.beta.openshift.io/serving-cert-secret-name=foo-certificate
The oc describe service command can be used to show the details of the service. Annotations should show that the foo-certificate secret has been signed by the Service CA.
~]$ oc describe service foo-service
Annotations: service.beta.openshift.io/serving-cert-secret-name: foo-certificate
service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1626455578
TLS Secrets
The oc get secrets command can be used to list the secrets. Secrets with type kubernetes.io/tls contain a public/private keypair.
~]$ oc get secrets --all-namespaces
NAMESPACE NAME TYPE DATA AGE
foo my-secret kubernetes.io/tls 2 123d
bar my-secret kubernetes.io/tls 2 123d
The --output yaml or --output json options can be used to display the YAML or JSON details of the secret. Notice that the "tls.crt" and "tls.key" keys contains a string alphanumeric characters. This is normal, because the secret value is base64 encoded.
~]$ oc get secrets foo-certificate -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURURENDQWpTZ0F3SUJBZ0lJQ1lTR0pMNHdVaWd3RFFZSktvWklodmN...
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMzgwWHNkVVAvK1RHaUZGRSszOGJ6U2N...
On a Linux system, the base64 command can be used to decode the value, which should display the details of the certificate. Notice the service is issued by openshift-service-serving-signer (the Service CA certificate). The issued certificate should have the same validity dates as the Service CA.
~]$ oc get secret foo-certificate -o yaml -o=custom-columns=":.data.tls\.crt" | tail -1 | base64 --decode | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2930717943798429805 (0x28ac007138f7f86d)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=openshift-service-serving-signer@1626455578
Validity
Not Before: Jul 16 17:12:57 2021 GMT
Not After : Sep 14 17:12:58 2023 GMT
Service CA Renewal
Let's say the Service CA certifiate is renewed. This will not renew the certificates that were issued by the Service CA in the secrets. However, deleting the secret will cause a new secret to be recreated.
~]$ oc delete secret foo-certificate
secret "foo-certificate" deleted
The recreated secret will contain a fresh certificate issued by the Service CA. Notice that the age of the recreated secret is 9 seconds, meaning the secret was recreated.
~]$ oc get secrets
NAME TYPE DATA AGE
foo-certificate kubernetes.io/tls 2 9s
Did you find this article helpful?
If so, consider buying me a coffee over at