OIDC Client Dex Server Certificates

The oidc-auth-apps application installs a proxy OIDC identity provider (dex server) that can be configured to proxy authentication requests to an LDAP (s) identity provider, such as Windows Active Directory.

The oidc-auth-apps application also provides an OIDC client for accessing the username and password OIDC login page for user authentication and retrieval of tokens.

Note

For details on installing, configuring, and using oidc-auth-apps, refer to User Authentication Using Windows Active Directory.

This section is specifically about OIDC certificates management.

Oidc-auth-apps needs three certificates to work:

  • OIDC client and identity provider server certificate (secret local-dex.tls)

  • OIDC trusted CA certificate (secret dex-client-secret)

  • Windows Active Directory CA certificate (secret wadcert)

OIDC client and identity provider server certificate

OIDC client and Identity provider server certificate is used to secure the connection between OIDC client and identity provider by HTTPS.

This certificate is stored in Kubernetes TLS secret local-dex.tls.

OIDC client and identity provider trusted CA certificate

The OIDC trusted CA certificate is the CA certificate that signs the OIDC client and identity server certificate.

It has to be installed for OIDC client to verify identity server’s certificate for HTTPS connection.

OIDC trusted CA certificate is stored in Kubernetes secret dex-client-secret.

Windows Active Directory CA certificate (WAD CA certificate)

WAD certificate is the CA certificate that signed the Windows Active Directory that OIDC is configured to proxy authentication requests to.

In order for OIDC identity provider (as the authentication proxy) to securely connect and authenticate users to the Windows Active Directory by HTTPS, the WAD’s CA certificate needs to installed and configured for OIDC to trust the Windows Active Directory.

Install OIDC certificates

OIDC certificates are not auto generated.

They need to be installed as Kubernetes secrets as part of the OIDC app configuration.

Refer to Configure OIDC Auth Applications, on how to install OIDC certificates into Kubernetes secrets.

Update/Renew OIDC certificates

The OIDC client and identity provider certificate, if configured via cert-manager (as described in Configure OIDC Auth Applications), is auto-renewed.

However, the OIDC client and identity provider trusted CA certificate and the Windows Active Directory CA certificate are not auto renewed. They have to be renewed manually by updating the secrets from the new certificate files and restarting the oidc-auth application.

Procedure

  1. Update/renew OIDC client and identity provider server certificate:

    Note

    This step is only required if you are not using cert-manager for your certificate as described in Configure OIDC Auth Applications.

    ~(keystone_admin)]$ kubectl create secret tls local-dex.tls --cert=/home/sysadmin/new_ssl/dex-cert.pem --key=/home/sysadmin/new_ssl/dex-key.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -
    
  2. Update/renew OIDC trusted CA certificate:

    ~(keystone_admin)]$ kubectl create secret generic dex-client-secret --from-file=/home/sysadmin/new_ssl/dex-ca.pem --save-config --dry-run=client -n kube-system -o yaml | kubectl apply -f -
    
  3. Update/renew WAD CA certificate:

    ~(keystone_admin)]$ kubectl create secret generic wadcert --from-file=/home/sysadmin/new_ssl/AD_CA.cer –save-config –dry-run=client -n kube-system -o yaml | kubectl apply -f -
    
  4. Restart OIDC client and identity provider proxy (dex-server):

    ~(keystone_admin)]$ kubectl rollout restart deployment oidc-dex -n kube-system
    ~(keystone_admin)]$ kubectl rollout restart deployment stx-oidc-client -n kube-system