OpenShift - List SSL certificates in a config map
by
Jeremy Canfield |
Updated: February 05 2026
| OpenShift articles
If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.
There are different ways to configure a container with environment variables.
- In a deployment YAML file
- Using Config Map (this article)
- Using Secrets
Config Maps are used to:
- mount configuration files in a container
- create environment variables in a container
- create command line option arguments in a container
Secrets are similar, used to create variables that contain encoded data (e.g. passwords). In this way, if a change is needed to a configuration file, variable, or command line option argument, you just need to update the config map or secret as opposed to having to make the change to your applications or deployments.
flowchart TB
subgraph OpenShift["OpenShift Cluster"]
CM[ConfigMap
Configuration Data]
SEC[Secret
Sensitive Data]
subgraph Pod["Pod"]
subgraph Container["Container"]
APP[Application]
VOL1[/Volume Mount
Config Files/]
VOL2[/Volume Mount
Secret Files/]
ENV1[Environment Variables
from ConfigMap]
ENV2[Environment Variables
from Secret]
end
end
end
CM -->|Mount as Volume| VOL1
SEC -->|Mount as Volume| VOL2
CM -->|Inject as EnvVar| ENV1
SEC -->|Inject as EnvVar| ENV2
VOL1 -.->|Read Config| APP
VOL2 -.->|Read Secrets| APP
ENV1 -.->|Use Config| APP
ENV2 -.->|Use Secrets| APP
style CM fill:#90CAF9
style SEC fill:#FFAB91
style APP fill:#A5D6A7
style Pod fill:#E1F5FE
style Container fill:#F1F8E9
A deployment can use one or more SSL certificates:
- In a config map
- In a secret
- In a deployments container args (arguments)
The oc get configmaps command can be used to list the config maps in a namespace.
~]$ oc get configmaps --namespace openshift-kube-apiserver-operator
NAME DATA AGE
kube-apiserver-operator-config 1 364d
kube-apiserver-operator-lock 0 364d
kube-apiserver-to-kubelet-client-ca 1 364d
kube-control-plane-signer-ca 1 364d
loadbalancer-serving-ca 1 364d
localhost-recovery-serving-ca 1 364d
localhost-serving-ca 1 364d
node-system-admin-ca 1 246d
service-network-serving-ca 1 364d
The oc describe configmap command can be used to display the public certificates in a config map.
~]$ oc describe configmap kube-apiserver-to-kubelet-client-ca --namespace openshift-kube-apiserver-operator
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIIPlAxeXxsNhMwDQYJKoZIhvcNAQELBQAwWDFWMFQGA1UE
AwxNb3BlbnNoaWZ0LWt1YmUtYXBpc2VydmVyLW9wZXJhdG9yX2t1YmUtYXBpc2Vy
dmVyLXRvLWt1YmVsZXQtc2lnbmVyQDE2MjY3MDkwNTgwHhcNMjEwNzE5MTUzN...
-----END CERTIFICATE-----
Here is a one line that uses OpenSSL command to display the details of the public certificate.
oc get configmaps <config map name> -n <namespace> -o yaml -o=custom-columns=":.data.ca-bundle\.crt" | openssl x509 -text -noout
Which should display something like this.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:00:12:de:98:f8:fa:ec:75:0d:39:27:26:fa:00:00:12:d1:98
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=foo.example.com
Validity
Not Before: Apr 27 12:57:49 2020 GMT
Not After : Apr 27 12:57:49 2022 GMT
Subject: C=US, ST=WI, L=Appleton, O=Acme, OU=Information Technology, CN=foo.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:28:83:30:ca:eb:5b:42:1d:49:f1:eb:73:ca:
ec:cc:6c:13:f5:f3:72:73:95:0a:45:8c:20:be:d4:
fb:c6:c9:e2:02:05:bf:9e:7d:f6:96:ed:0f:64:22:
29:57:68:87:88:a3:40:af:18:49:62:40:f9:b8:fc:
b1:ec:9f:97:c2:28:62:8c:f7:3b:13:4b:0c:04:76:
13:af:6d:33:27:08:3c:bd:cc:e2:a9:c9:a8:71:85:
82:e4:38:17:1b:2f:cf:42:30:fb:78:4a:13:c8:63:
cc:0c:bc:66:56:1e:33:e9:48:2e:86:98:24:61:d0:
4a:9e:25:6f:54:9e:d1:b2:1a:83:f3:2c:a4:c1:3c:
77:45:2f:6c:c1:af:e1:35:97:15:51:2d:bd:8f:52:
4b:8d:2a:48:47:65:90:ee:6a:27:a2:ae:96:63:a5:
f6:f6:62:87:f7:f7:74:9f:a3:ea:0a:db:4d:83:99:
3b:f2:46:22:5e:f2:32:40:07:d2:84:4c:91:a1:40:
7c:1c:e8:64:fa:e9:b0:62:b5:84:ab:76:6c:8c:03:
d9:0d:26:1e:23:bb:c0:33:12:97:79:6e:14:b8:11:
07:ed:9e:95:d8:bc:6f:6b:8c:6c:35:c8:4b:12:fb:
7d:85:78:0f:c0:d2:df:9c:d9:2b:da:ee:0e:b6:bd:
d3:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:example
X509v3 Subject Key Identifier:
96:16:15:4D:BF:3C:73:9E:5C:17:28:22:DE:11:81:EE:69:C6:10:E6
X509v3 Authority Key Identifier:
keyid:73:BB:DE:B5:54:49:BD:F2:8C:D9:BE:17:04:94:CB:27:B5:5E:84:B9
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.example.com/certenroll/example.crl
Authority Information Access:
CA Issuers - URI:http://crl.example.com/certenroll/issuer.crt
X509v3 Key Usage:
Digital Signature, Key Encipherment
10.11.12.13.4.1.322.21.7:
0..&+.....7.....C...=...8.......>........V..d...
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
10.11.12.13.4.1.322.21.7:
0.0
..+.......0
..+.......
Signature Algorithm: sha256WithRSAEncryption
9e:07:5c:78:52:bb:ac:d9:a3:ce:43:66:cc:c2:1e:cf:af:de:
45:ad:b1:bd:cb:1e:45:9b:4a:ae:48:03:25:81:93:1f:11:1a:
ee:0b:c9:70:f4:d1:9d:d7:8f:02:fc:56:46:3a:5e:97:82:3e:
7b:d7:d4:4c:96:9e:16:91:bb:d9:80:18:b7:84:bf:3f:23:b3:
78:37:bd:fc:da:32:0d:42:1f:1f:d3:07:5a:87:f9:b6:56:dc:
46:d3:48:a2:69:50:0e:89:6c:c4:70:c4:bf:3e:5f:d1:2a:86:
f8:9e:27:27:a2:7f:b2:71:ca:b7:e4:73:51:2e:06:fc:0a:af:
a9:aa:c7:c1:69:4b:78:b1:a9:10:6d:e5:d5:76:da:21:30:32:
2e:aa:51:78:66:59:16:fe:66:4e:47:32:e9:89:91:eb:96:c6:
c9:84:71:c0:af:ed:d6:78:aa:d1:89:b7:c4:98:2c:f4:40:03:
13:07:1a:75:cc:f3:d0:5e:63:c2:a6:75:b7:de:14:ec:83:02:
63:17:13:0b:c1:dc:ad:f3:29:0f:1a:4d:1e:fc:d4:15:af:ca:
c4:78:55:f4:db:af:e0:37:cd:b3:39:f4:24:23:7b:03:f8:d3:
2e:e8:16:0a:e9:36:e8:fc:1e:9d:40:5e:e7:77:9e:c6:a4:11:
81:5a:19:c7
Did you find this article helpful?
If so, consider buying me a coffee over at 