There are a couple ways to get the OpenShift API Server public certificates.

• Using the openssl s_client command (this article)
• Using oc and OpenSSL command
• Using the OpenShift console and OpenSSL command

By far, the openssl s_client command (this article) is much easier, but only provides the server certificate or certificate chain (which is probably all you need anyways). Fetching the certificates using the OpenShift console and OpenSSL command or using oc and OpenSSL command provide much greater detail and understanding.

To use the OpenSSL command to get the API Server SSL certificate, you will need to know the API Server URL and port. The oc get apiserver command can be used to display the API Server URL (api.openshift.example.com in this example), but you need to be logged in to use this command. Check out my article FreeKB - OpenShift - Log into OpenShift using the oc login command.

~]$ oc get apiserver cluster --output jsonpath={.spec.servingCerts.namedCertificates[*].names[*]}
api.openshift.example.com

The openssl s_client command can be used to return the OpenShift API Server SSL certificate. It is noteworthy that the certificates are stored in the secret named api-cert in the openshift-config namespace. The api-cert secret contains three keys, ca.crt (the root CA), tls.crt (the intermediate CA and server certificate) and tls.key (the private key). The openssl s_client command without the -showcerts flag will only return the server certificate in tls.crt.

~]$ echo | openssl s_client -connect api.openshift.example.com:6443
CONNECTED(00000003)
---
Certificate chain
 0 s:C = US, ST = CA, L = Los Angeles, O = Example, OU = Information Technology, CN = api.openshift.example.com
   i:DC = com, DC = example, CN = rootCA
 1 s:DC = com, DC = example, CN = rootCA
   i:CN = ACMEROOTCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGeDCC...vvnEPb7hvJasdfasdfasdfadfscKeDKA==
-----END CERTIFICATE-----

The -showcerts command can be used to return both the intermediate CA and server cert in tls.crt.

~]$ echo | openssl s_client -connect api.openshift.example.com:6443 -showcerts
CONNECTED(00000003)
---
Certificate chain
 0 s:C = US, ST = CA, L = Los Angeles, O = Example, OU = Information Technology, CN = api.openshift.example.com
   i:DC = com, DC = example, CN = rootCA
 1 s:DC = com, DC = example, CN = rootCA
   i:CN = ACMEROOTCA
---
Certificate chain
 0 s:C = US, ST = CA, L = Guam, O = Example, OU = Information Technology, CN = api.openshift.example.com
   i:DC = com, DC = ThriventDev, CN = ThriventDevCA
-----BEGIN CERTIFICATE-----
MIIGeDCC...vvnEPb7hvJasdfasdfasdfadfscKeDKA==
-----END CERTIFICATE-----
 1 s:DC = com, DC = example, CN = rootCA
   i:CN = rootCA
-----BEGIN CERTIFICATE-----
MIID4jCCAs...FpNmI81VankfNocBKnUm8=
-----END CERTIFICATE-----

I almost always create a file with the content of the certificate. For example, perhaps cert.pem would have one of the certificates in the certificate chain.

-----BEGIN CERTIFICATE-----
MIIGeDCC...vvnEPb7hvJasdfasdfasdfadfscKeDKA==
-----END CERTIFICATE-----

And then I can use openssl to view the human readable certificate content.

openssl x509 -in cert.pem -text -noout

Which should return something that begins like this.

Certificate:
    Data:
        Version: 3 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = com, DC = example
        Validity
            Not Before: Jun 18 12:59:36 2024 GMT
            Not After : Jun 18 12:59:36 2025 GMT
        Subject: C = US, ST = CA, L = Los Angeles, O = Example, OU = Information Technology, CN = api.openshift.example.com