Bootstrap FreeKB - OpenShift - List SSL certificates in a config map
OpenShift - List SSL certificates in a config map
Updated:   |  OpenShift articles

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

A deployment can use one or more SSL certificates:

The oc get configmaps command can be used to list the config maps in a namespace.

~]$ oc get configmaps --namespace openshift-kube-apiserver-operator
NAME                                  DATA   AGE
kube-apiserver-operator-config        1      364d
kube-apiserver-operator-lock          0      364d
kube-apiserver-to-kubelet-client-ca   1      364d
kube-control-plane-signer-ca          1      364d
loadbalancer-serving-ca               1      364d
localhost-recovery-serving-ca         1      364d
localhost-serving-ca                  1      364d
node-system-admin-ca                  1      246d
service-network-serving-ca            1      364d

 

The oc describe configmap command can be used to display the public certificates in a config map.

~]$ oc describe configmap kube-apiserver-to-kubelet-client-ca --namespace openshift-kube-apiserver-operator
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIIPlAxeXxsNhMwDQYJKoZIhvcNAQELBQAwWDFWMFQGA1UE
AwxNb3BlbnNoaWZ0LWt1YmUtYXBpc2VydmVyLW9wZXJhdG9yX2t1YmUtYXBpc2Vy
dmVyLXRvLWt1YmVsZXQtc2lnbmVyQDE2MjY3MDkwNTgwHhcNMjEwNzE5MTUzN...
-----END CERTIFICATE-----

 

Here is a one line that uses OpenSSL command to display the details of the public certificate.

oc get configmaps <config map name> -n <namespace> -o yaml -o=custom-columns=":.data.ca-bundle\.crt" | openssl x509 -text -noout

 

Which should display something like this.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:00:12:de:98:f8:fa:ec:75:0d:39:27:26:fa:00:00:12:d1:98
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=foo.example.com
        Validity
            Not Before: Apr 27 12:57:49 2020 GMT
            Not After : Apr 27 12:57:49 2022 GMT
        Subject: C=US, ST=WI, L=Appleton, O=Acme, OU=Information Technology, CN=foo.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d5:28:83:30:ca:eb:5b:42:1d:49:f1:eb:73:ca:
                    ec:cc:6c:13:f5:f3:72:73:95:0a:45:8c:20:be:d4:
                    fb:c6:c9:e2:02:05:bf:9e:7d:f6:96:ed:0f:64:22:
                    29:57:68:87:88:a3:40:af:18:49:62:40:f9:b8:fc:
                    b1:ec:9f:97:c2:28:62:8c:f7:3b:13:4b:0c:04:76:
                    13:af:6d:33:27:08:3c:bd:cc:e2:a9:c9:a8:71:85:
                    82:e4:38:17:1b:2f:cf:42:30:fb:78:4a:13:c8:63:
                    cc:0c:bc:66:56:1e:33:e9:48:2e:86:98:24:61:d0:
                    4a:9e:25:6f:54:9e:d1:b2:1a:83:f3:2c:a4:c1:3c:
                    77:45:2f:6c:c1:af:e1:35:97:15:51:2d:bd:8f:52:
                    4b:8d:2a:48:47:65:90:ee:6a:27:a2:ae:96:63:a5:
                    f6:f6:62:87:f7:f7:74:9f:a3:ea:0a:db:4d:83:99:
                    3b:f2:46:22:5e:f2:32:40:07:d2:84:4c:91:a1:40:
                    7c:1c:e8:64:fa:e9:b0:62:b5:84:ab:76:6c:8c:03:
                    d9:0d:26:1e:23:bb:c0:33:12:97:79:6e:14:b8:11:
                    07:ed:9e:95:d8:bc:6f:6b:8c:6c:35:c8:4b:12:fb:
                    7d:85:78:0f:c0:d2:df:9c:d9:2b:da:ee:0e:b6:bd:
                    d3:2b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example
            X509v3 Subject Key Identifier: 
                96:16:15:4D:BF:3C:73:9E:5C:17:28:22:DE:11:81:EE:69:C6:10:E6
            X509v3 Authority Key Identifier: 
                keyid:73:BB:DE:B5:54:49:BD:F2:8C:D9:BE:17:04:94:CB:27:B5:5E:84:B9

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.example.com/certenroll/example.crl
                  
            Authority Information Access: 
                CA Issuers - URI:http://crl.example.com/certenroll/issuer.crt

            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            1.4.6.7.4.1.322.21.7: 
                0..&+.....7.....C...=...8.......>........V..d...
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            1.4.6.7.4.1.322.21.7: 
                0.0
..+.......0
..+.......
    Signature Algorithm: sha256WithRSAEncryption
         9e:07:5c:78:52:bb:ac:d9:a3:ce:43:66:cc:c2:1e:cf:af:de:
         45:ad:b1:bd:cb:1e:45:9b:4a:ae:48:03:25:81:93:1f:11:1a:
         ee:0b:c9:70:f4:d1:9d:d7:8f:02:fc:56:46:3a:5e:97:82:3e:
         7b:d7:d4:4c:96:9e:16:91:bb:d9:80:18:b7:84:bf:3f:23:b3:
         78:37:bd:fc:da:32:0d:42:1f:1f:d3:07:5a:87:f9:b6:56:dc:
         46:d3:48:a2:69:50:0e:89:6c:c4:70:c4:bf:3e:5f:d1:2a:86:
         f8:9e:27:27:a2:7f:b2:71:ca:b7:e4:73:51:2e:06:fc:0a:af:
         a9:aa:c7:c1:69:4b:78:b1:a9:10:6d:e5:d5:76:da:21:30:32:
         2e:aa:51:78:66:59:16:fe:66:4e:47:32:e9:89:91:eb:96:c6:
         c9:84:71:c0:af:ed:d6:78:aa:d1:89:b7:c4:98:2c:f4:40:03:
         13:07:1a:75:cc:f3:d0:5e:63:c2:a6:75:b7:de:14:ec:83:02:
         63:17:13:0b:c1:dc:ad:f3:29:0f:1a:4d:1e:fc:d4:15:af:ca:
         c4:78:55:f4:db:af:e0:37:cd:b3:39:f4:24:23:7b:03:f8:d3:
         2e:e8:16:0a:e9:36:e8:fc:1e:9d:40:5e:e7:77:9e:c6:a4:11:
         81:5a:19:c7

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 4cc5ee in the box below so that we can be sure you are a human.