How to check the TLS certificates details in Openshift 4

Solution Verified - Updated 9 Oct 2024

Environment

Red Hat OpenShift Container Platform
- 4.X

Issue

How to list all OpenShift TLS certificate expire date?

Resolution

Review certificates stored in Secrets

To extract all TLS certificates details (Issuer, Dates & Subject) stored a secret in the cluster, simply run this command:

oc get secrets -A -o json | jq -r '.items | sort_by(.metadata.namespace,.metadata.name) |.[] |select((.type == "kubernetes.io/tls") or (.type == "SecretTypeTLS"))| "\(.metadata.namespace) \(.metadata.name) \(.data | to_entries[] | select(.key | test("key") or test("Key") | not)| .value)"' | while read namespace name cert; do echo -e "\n${namespace} - ${name}\n##################"; echo $cert | base64 -d | openssl crl2pkcs7 -nocrl -certfile  /dev/stdin |openssl pkcs7 -print_certs -text -noout | grep -A4 Issuer:; done

Review certificates stored in ConfigMaps (CM)

It's possible to review certificates stored in configMaps, based from a namespace or from ALL of them.
Simply set the variable as desired:

ALL CMs

ALL_CM_JSON=$(oc get cm -A -o json)

CMs from a Namespace

ALL_CM_JSON=$(oc get cm -n <desired_namespace>-o json)

Then run the command:

echo "${ALL_CM_JSON}" | jq -r '.items | sort_by(.metadata.namespace,.metadata.name) |.[] | select((.data != null) and (.data | to_entries[] | .key | test(".crt"))) | "\(.metadata.namespace) \(.metadata.name)"' | while read namespace name cert; do echo -e "\n${namespace} - ${name}\n##################"; echo "${ALL_CM_JSON}" | jq -r --arg namespace ${namespace} --arg name ${name} '.items[] | select((.metadata.namespace == $namespace) and (.metadata.name == $name)) | .data | to_entries[] | select(.key | test("key") or test("Key") | not)| .value' | openssl crl2pkcs7 -nocrl -certfile  /dev/stdin |openssl pkcs7 -print_certs -text -noout | grep -A4 Issuer:; done

Expected Output format

Both commands will display the Certificate details, sorted by namespace and object name, like this:

[...Output Omitted...]

openshift-ingress - router-certs-default
##################
        Issuer: CN=ingress-operator@1643136458
        Validity
            Not Before: Jan 25 18:47:44 2022 GMT
            Not After : Jan 25 18:47:45 2024 GMT
        Subject: CN=*.apps.ocp.dataserv.local
--
        Issuer: CN=ingress-operator@1643136458
        Validity
            Not Before: Jan 25 18:47:38 2022 GMT
            Not After : Jan 25 18:47:39 2024 GMT
        Subject: CN=ingress-operator@1643136458

[...Output Omitted...]

openshift-kube-apiserver-operator - kube-apiserver-to-kubelet-signer
##################
        Issuer: OU=openshift, CN=kube-apiserver-to-kubelet-signer
        Validity
            Not Before: Jan 25 18:23:44 2022 GMT
            Not After : Jan 25 18:23:44 2023 GMT
        Subject: OU=openshift, CN=kube-apiserver-to-kubelet-signer

[...Output Omitted...]

Root Cause

The Openshfit TLS certificates are stored as secrets and/or configMap in RHOCP.
It may be complex to retrieve of all them and check their validity.

This KCS will provide some commands to help with this.

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

certificates

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.