Bootstrap

OpenShift - Get API Server Certificates using the oc and OpenSSL commands

by Jeremy Canfield | Updated: November 25 2024 | OpenShift articles

There are a couple ways to get the OpenShift API Server public certificates.

Using the openssl s_client command
Using oc and OpenSSL commands (this article)

By far, the openssl s_client command is much easier, but only provides the server certificate (which is probably all you need anyways). The oc and OpenSSL commands (this article) provide much greater detail and understanding.

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

The SSL public/private key pair used to establish the SSL handshake when connectiong to the OpenShift API server are in a TLS secret in the openshift-config namespace. Of course, this assumes are you able to sign into OpenShift. Check out my article FreeKB - OpenShift - Log into OpenShift using the oc login command.

The oc get secrets command can be used to list the secrets in the openshift-config namespace. In this example, there is a TLS secret named api-cert.

~]$ oc get secrets --namespace openshift-config
NAME                                      TYPE                                  DATA   AGE
api-cert                                  kubernetes.io/tls                     3      513d

The oc get secrets command with the --output yaml or --output json command should show that there are three keys in the secret, ca.crt and tls.crt and tls.key.

~]$ oc get secret api-cert --namespace openshift-config --output json
{
    "apiVersion": "v1",
    "data": {
        "ca.crt": "LS0tL.....g==",
        "tls.crt": "LS0tLS1CRUdJT.....S0tLQo=",
        "tls.key": "LS0tLS1Ud.....VktLS0tLQo="
    }

The jsonpath option can be used to return one of these keys, tls.crt in this example.

~]$ oc get secret api-cert --namespace openshift-config --output jsonpath="{.data.tls\.crt}"
LS0tLS1C.....UtLS0tLQo=

This value of the key is base64 encoded so the base64 command can be used to decode the encoded string.

~]$ oc get secret api-cert --namespace openshift-config --output jsonpath="{.data.tls\.crt}" | base64 --decode
-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITSAAABOyl0tY33JRdwQABAAAE7DANBgkqhkiG9w0BAQsF
ADBKMRabdfYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLVGhyaXZl
bnREZXYxFjAUBgNVBAMTDVRocml2ZW50RGV2Q0EwHhcNMjQwNjE4MTI1OTM2WhcN
MjUwNjE4MTI1OTM2WjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldJMREwDwYD
VQQHEwhBcHBsZXRvbjEbMBkGA1UEChMSVGhyaXZlbnQgRmluYW5jaWFsMR8wHQYD
VQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMwIQYDVQQDExphcGkubGFiMDAx
Lm9wLnRocml2ZW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMXc8WgDsyb0xgqVKtBpaUHdqQL5QLp0+fHCfJ2hk8MGV193PIAAaJsV6O5v5KnA
/wQ0wWsM4ca1jDhsdfadafavavsdvadvGOc2+D9uBodIcbLw6DMg/uYKnOyyMFr5
WTxqbNnN//B3N5Kcd5gP2k3jMben5VScUtN74o+4i8ceaLnLOEWxM7CE7cyhzTMx
6GrFXEnu7RUISj01R2kq76rPafXDMJUwlqravg9W4RnltYJjNKMGIRyt203cv6bK
rh7mwQ3Iv/HQNd0vhdinh576aQEP0ytPBzymPkPIVU0gulgIy0fpHM/uQnD7upPk
kCQ2DiG9r+d44FrjnDh8sCcCAwEAAaOCAw4wggMKMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJQYDVR0RBB4wHIIaYXBpLmxh
YjAwMS5vcC50aHJpdmVudC5jb20wHQYDVR0OBBYEFMSbCMDMr8vtoawltjG/wouk
m81OMB8GAasdfasdfasvavvv0R4uMrX+uqSke+0t0hoOtQxcMIIBAwYDVR0fBIH7
MIH4MIH1oIHyoIHvhoG+bGRhcDovLy9DTj1UaHJpdmVudERldkNBLENOPVRIUklW
RU5UREVWQ0EsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VGhyaXZlbnREZXYsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludIYsaHR0cDovL2NybC50aHJpdmVudGRldi5jb20vVGhyaXZl
bnREZXZDQS5jcmwasdfasfasdfasdfasdQSB8zCB8DCBsAYIKwYBBQUHMAKGgaNs
ZGFwOi8vL0NOPVRocml2ZW50RGV2Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VGhyaXZl
bnREZXYsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
aWZpY2F0aW9uQXV0aasdfasdfasdfasfasdfasaChi9odHRwOi8vY3JsLnRocml2
ZW50ZGV2LmNvbS9UaHJpdmVudERldkNBKDEpLmNydDA+BgkrBgEEAYI3FQcEMTAv
BicrBgEEAYI3FQiHxr0bgdSMZoXtiSmCyqBqgr7kW4EzgvTiGoKRqkkCAWQCARMw
JwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDATAKBggrBgEFBQcDAjANBgkqhkiG
9w0BAQsFAAOCAQEAbG1oAa+MWGOoZ7hZDbEabldyb3+YCozG01hYgb74cWC6mRAr
WEsNHQXDpBmrKVfmasdfasdfasdfasdfasdfasdfasdfasdfi5kKOW2qOl6alq7Q
lQ4nLoVJjmoe7e0gnDZ3e9AAF6yzygvQr0rpjwnynhA7RLaIOe75XXIiwMgoUHVs
4LoIAx+7pxQcMiqW0Ktol0eX5HtxI/qcdvC66csaySpYJucVG6zb3Ium8idkxb9R
FunT0xJPtxz3HcUasdfasdfasdfasdfasdfasfasfsdafaflc/SMGoh51K8HV6ls
vvnEPb7hvJIAIZNFiU1r9vuvKdtmb31LcKeDKA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID5DCCAsygAwIBAgITUAAAAAdlNt+xj0oR+gABAAAABzANBgkqhkiG9w0BAQsF
ADAYMRYwFAYDVQQDEw1USFJWREVWUk9PVENBMCAXDTIwMDUxMTEzMjA0N1oYDzIw
NTAwMzEwMTcyMzAyWjBKMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPy
LGQBGRYLVGhyaXZlbnREZXYxFjAUBgNVBAMTDVRocml2ZW50RGV2Q0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBmu562e7V+WeRSCuzcXy4Ejnr3LLQ
7mKTd3yjjXsWky65basdfasdfasdfasdfasdfasdfT5LBhfxTgq0Swz8F7kQLNKk
5eqNo6vkEpKtMkh6k/Cq5SH2Rq1uhSQeqOsV4WO44b2bMLW9jP3zmSYPDJ01ruT3
MjjvNVrLE0Vwg1RuaBOPehzKV36zJamSR87Vx1rMUbteiKRLWfuqcOP4HIN3EC8+
A3AcYcDYhreh/GB+bJBoxNQp+IrmHQv8zjq5f/kUSZdjV1tCSHzUK6QUjeOImjx5
VpFwvdxkZPqFCvcX5Y9ewEmm8u/6u84lGpxmHpCeE6qC+SRUXzzocxY5AgMBAAGj
gfIwge8wEAYJKwYBBAGCNxUBBAMCAQEwIwYJKwYBBAGCNxUCBBYEFCImIdJG8l2r
qF6o1y2qkMvg66VHMB0GA1UdDgQWBBTAqtEeLjK1/rqkpHvtLdIaDrUMXDAZBgkr
BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
AwEB/zAfBgasdfasdfasdfasdfasdfasdfasdfasdfasdBU0jDA9BgNVHR8ENjA0
MDKgMKAuhixodHRwOi8vY3JsLnRocml2ZW50ZGV2LmNvbS9USFJWREVWUk9PVENB
LmNybDANBgkqhkiG9w0BAQsFAAOCAQEAMZQ4Vcim7YdyRxbTO8wv7UVdZ/UNB0SG
xgcMK8yjvItPPmZasdfasdfasdfasdfdasfasdfasdfasdfasdfdfaaK13AVwJHH
4o/88kVkyjbfLCOGi8doUgWzhoeSjp51Knki3yUJSuI+jeoUQKoktZcBp7Lrsj3M
8v+qym8h4RNPZVAWsc1YhjR2Jz+0Syc8pr0aNwy7sAmTSs2IgYttHjfTbMInjeXB
5Wubcmrl4DOVL2VQ31hgrQR4I8a0qOiaUaS4bb6wMQtBMS326SCRDzII605AoJib
l9adPEkF8iFelBHfC1Jr2vSWj6kOuSk9boLpLbqpC9tQo5DQ3m2Tmw==
-----END CERTIFICATE-----

It's not too uncommon for the decoded certificate to contain a certificate chain, the root certificate authority (CA) certificate, an intermediate certificate, and a server certificate. Unforunately the openssl command does not have a great way to decode each certificate so I almost always create a file with the content of each certificate. For example, perhaps 1.pem would have the first certificate.

And 2.pem would have the second certificate.

And then I can use openssl to view the human readable certificate content.

openssl x509 -in 1.pem -text -noout
openssl x509 -in 2.pem -text -noout

Which should return something that begins like this.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            48:00:00:04:ec:a5:d2:d6:37:dc:94:5d:c1:00:01:00:00:04:ec
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = com, DC = example
        Validity
            Not Before: Jun 18 12:59:36 2024 GMT
            Not After : Jun 18 12:59:36 2025 GMT
        Subject: C = US, ST = CA, L = Los Angeles, O = Acme, OU = Information Technology, CN = api.openshift.example.com

Did you find this article helpful?

If so, consider buying me a coffee over at

Did you find this article helpful?

Comments

Add a Comment