Bootstrap FreeKB - OpenShift - Get API Server Certificates using OpenSSL
OpenShift - Get API Server Certificates using OpenSSL
Updated:   |  OpenShift articles

There are a couple ways to get the OpenShift API Server public certificates.

By far, the openssl s_client command (this article) is much easier, but only provides the server certificate (which is probably all you need anyways). The oc and OpenSSL commands provide much greater detail and understanding.

To use the OpenSSL command to get the API Server SSL certificate, you will need to know the API Server URL and port. 

The oc get apiserver command can be used to display the API Server URL (api.openshift.example.com in this example), but you need to be logged in to use this commands. Check out my article FreeKB - OpenShift - Log into OpenShift using the oc login command.

~]$ oc get apiserver cluster --output jsonpath={.spec.servingCerts.namedCertificates[*].names[*]}
api.openshift.example.com

 

The openssl s_client command can be used to return the OpenShift API Server SSL certificate. 

~]$ echo "Q" | openssl s_client -connect api.openshift.example.com:6443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:C = US, ST = CA, L = Los Angeles, O = Acme, OU = Information Technology, CN = api.openshift.example.com
   i:DC = com, DC = example, CN = ACMEROOTCA
 1 s:DC = com, DC = example, CN = ACMEROOTCA
   i:CN = ACMEROOTCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITSAAABOyl0tY12345wQABAAAE7DANBgkqhkiG9w0BAQsF
ADBKMRMwEQYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLVGhyaXZl
bnREZXYxFjAUBgNVBAMTDVRocml2ZW50RGV2Q0EwHhcNMjQwNjE4MTI1OTM2WhcN
MjUwNjE4MTI1OTM2WjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldJMREwDwYD
VQQHEwhBcHBsZXRvbjEbMBkGA1UEChMSVGhyaXZlbnQgRmluYW5jaWFsMR8wHQYD
VQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMwIQYDVQQDExphcGkubGFiMDAx
Lm9wLnRocml2ZW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMXc8WgDsyb0xgqVKtadsfadfasfmndmasdndasfk8MGV193PIAAaJsV6O5v5KnA
/wQ0wWsM4ca1jDhn3KeC5KjNness/cAvGOc2+D9uBodIcbLw6DMg/uYKnOyyMFr5
WTxqbNnN//B3N5Kcd5gP2k3jMben5VScUtN74o+4i8ceaLnLOEWxM7CE7cyhzTMx
6GrFXEnu7RUISj01R2kq76rPafXDMJUwlqravg9W4RnltYJjNKMGIRyt203cv6bK
rh7mwQ3Iv/HQNd0vhdinh576aQEP0ytPBzymPkPIVU0gulgIy0fpHM/uQnD7upPk
kCQ2DiG9r+d44FrjnDh8sCcCAwEAAaOCAw4wggMKMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJQYDVR0RBB4wHIIaYXBpLmxh
YjAwMS5vcC50aHJpdmVudC5jb20wHQYDVR0OBBYEFMSbCMDMr8vtoawltjG/wouk
m81OMB8GA1UdIwQtadsfadfasfmndmadfdffdd0t0hoOtQxcMIIBAwYDVR0fBIH7
MIH4MIH1oIHyoIHvhoG+bGRhcDovLy9DTj1UaHJpdmVudERldkNBLENOPVRIUklW
RU5UREVWQ0EsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VGhyaXZlbnREZXYsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludIYsaHR0cDovL2NybC50aHJpdmVudGRldi5jb20vVGhyaXZl
bnREZXZDQS5jcmwwggasdfasdfdafdsfasfdasCB8DCBsAYIKwYBBQUHMAKGgaNs
ZGFwOi8vL0NOPVRocml2ZW50RGV2Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VGhyaXZl
bnREZXYsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
aWZpY2F0aW9uQXV0aG9yaXR5MDsGCCsGAQUFBzAChi9odHRwOi8vY3JsLnRocml2
ZW50ZGV2LmNvbS9UaasdfasdfasdfasfasfadfsfdaA+BgkrBgEEAYI3FQcEMTAv
BicrBgEEAYI3FQiHxr0bgdSMZoXtiSmCyqBqgr7kW4EzgvTiGoKRqkkCAWQCARMw
JwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDATAKBggrBgEFBQcDAjANBgkqhkiG
9w0BAQsFAAOCAQEAbG1oAa+MWGOoZ7hZDbEabldyb3+YCozG01hYgb74cWC6mRAr
WEsNHQXDpBmrKVfmqasdfasdfasfadsdfasfasdfr6Jcwqc2i5kKOW2qOl6alq7Q
lQ4nLoVJjmoe7e0gnDZ3e9AAF6yzygvQr0rpjwnynhA7RLaIOe75XXIiwMgoUHVs
4LoIAx+7pxQcMasdfasdfasdfasdfasdfasdfasdySpYJucVG6zb3Ium8idkxb9R
FunT0xJPtxz3HcUa+fbyDQtl2o5nA9hI/fqlEeEd3EkLkOflc/SMGoh51K8HV6ls
vvnEPb7hvJasdfasdfasdfadfscKeDKA==
-----END CERTIFICATE-----

 

I almost always create a file with the content of the certificate. For example, perhaps cert.pem would have the following.

-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITSAAABOyl0tY33JRdwQABAAAE7DANBgkqhkiG9w0BAQsF
ADBKMRabdfYKCZImiZPyLGQBGRYDY29tMRswGQYKCZImiZPyLGQBGRYLVGhyaXZl
bnREZXYxFjAUBgNVBAMTDVRocml2ZW50RGV2Q0EwHhcNMjQwNjE4MTI1OTM2WhcN
MjUwNjE4MTI1OTM2WjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldJMREwDwYD
VQQHEwhBcHBsZXRvbjEbMBkGA1UEChMSVGhyaXZlbnQgRmluYW5jaWFsMR8wHQYD
VQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMwIQYDVQQDExphcGkubGFiMDAx
Lm9wLnRocml2ZW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMXc8WgDsyb0xgqVKtBpaUHdqQL5QLp0+fHCfJ2hk8MGV193PIAAaJsV6O5v5KnA
/wQ0wWsM4ca1jDhsdfadafavavsdvadvGOc2+D9uBodIcbLw6DMg/uYKnOyyMFr5
WTxqbNnN//B3N5Kcd5gP2k3jMben5VScUtN74o+4i8ceaLnLOEWxM7CE7cyhzTMx
6GrFXEnu7RUISj01R2kq76rPafXDMJUwlqravg9W4RnltYJjNKMGIRyt203cv6bK
rh7mwQ3Iv/HQNd0vhdinh576aQEP0ytPBzymPkPIVU0gulgIy0fpHM/uQnD7upPk
kCQ2DiG9r+d44FrjnDh8sCcCAwEAAaOCAw4wggMKMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJQYDVR0RBB4wHIIaYXBpLmxh
YjAwMS5vcC50aHJpdmVudC5jb20wHQYDVR0OBBYEFMSbCMDMr8vtoawltjG/wouk
m81OMB8GAasdfasdfasvavvv0R4uMrX+uqSke+0t0hoOtQxcMIIBAwYDVR0fBIH7
MIH4MIH1oIHyoIHvhoG+bGRhcDovLy9DTj1UaHJpdmVudERldkNBLENOPVRIUklW
RU5UREVWQ0EsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VGhyaXZlbnREZXYsREM9Y29tP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludIYsaHR0cDovL2NybC50aHJpdmVudGRldi5jb20vVGhyaXZl
bnREZXZDQS5jcmwasdfasfasdfasdfasdQSB8zCB8DCBsAYIKwYBBQUHMAKGgaNs
ZGFwOi8vL0NOPVRocml2ZW50RGV2Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VGhyaXZl
bnREZXYsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
aWZpY2F0aW9uQXV0aasdfasdfasdfasfasdfasaChi9odHRwOi8vY3JsLnRocml2
ZW50ZGV2LmNvbS9UaHJpdmVudERldkNBKDEpLmNydDA+BgkrBgEEAYI3FQcEMTAv
BicrBgEEAYI3FQiHxr0bgdSMZoXtiSmCyqBqgr7kW4EzgvTiGoKRqkkCAWQCARMw
JwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDATAKBggrBgEFBQcDAjANBgkqhkiG
9w0BAQsFAAOCAQEAbG1oAa+MWGOoZ7hZDbEabldyb3+YCozG01hYgb74cWC6mRAr
WEsNHQXDpBmrKVfmasdfasdfasdfasdfasdfasdfasdfasdfi5kKOW2qOl6alq7Q
lQ4nLoVJjmoe7e0gnDZ3e9AAF6yzygvQr0rpjwnynhA7RLaIOe75XXIiwMgoUHVs
4LoIAx+7pxQcMiqW0Ktol0eX5HtxI/qcdvC66csaySpYJucVG6zb3Ium8idkxb9R
FunT0xJPtxz3HcUasdfasdfasdfasdfasdfasfasfsdafaflc/SMGoh51K8HV6ls
vvnEPb7hvJIAIZNFiU1r9vuvKdtmb31LcKeDKA==
-----END CERTIFICATE-----

 

And then I can use openssl to view the human readable certificate content.

openssl x509 -in cert.pem -text -noout

 

Which should return something that begins like this.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            48:00:00:04:ec:a5:d2:d6:37:dc:94:5d:c1:00:01:00:00:04:ec
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = com, DC = example
        Validity
            Not Before: Jun 18 12:59:36 2024 GMT
            Not After : Jun 18 12:59:36 2025 GMT
        Subject: C = US, ST = CA, L = Los Angeles, O = Acme, OU = Information Technology, CN = api.openshift.example.com

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 5f08fa in the box below so that we can be sure you are a human.