Display Certificates Installed on a System

The system certificate-list command

The system certificate-list command can be used to list the platform certificates present on the StarlingX system with details such as expiry date, residual time, subject, issuer and renewal behaviour (manual or automatic).

The system certificate-list command has the following options:

  • system certificate-list --expired lists the expired certificates.

  • system certificate-list --soon_to_expiry <N> lists the certificates expiring in given <N> days.

For example:

[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-list
+------------------------------------------------------------+
admin_conf_client
+------------------------------------------------------------+
Residual Time : 359d
Issue Date    : June 03 09:26:57 2024
Expiry Date   : June 07 12:17:19 2025
Issuer        : CN=starlingx
Subject       : CN=kubernetes-admin,O=system:masters
Renewal       : Automatic
File Path     : /etc/kubernetes/admin.conf
+------------------------------------------------------------+
apiserver
+------------------------------------------------------------+
Residual Time : 359d
Issue Date    : June 03 09:26:57 2024
Expiry Date   : June 07 12:17:17 2025
Issuer        : CN=starlingx
Subject       : CN=kube-apiserver
Renewal       : Automatic
File Path     : /etc/kubernetes/pki/apiserver.crt
+------------------------------------------------------------+
..etc

The command system k8s-certificate-list can be used to list all k8s tls/opaque type certificates present on the StarlingX system with details such as expiry date, residual time, subject, issuer and renewal behaviour (manual or automatic).

The system k8s-certificate-list command has the following options:

  • system k8s-certificate-list --expired lists the expired certificates.

  • system k8s-certificate-list --soon_to_expiry <N> lists the certificates expiring in given <N> days.

For example:

[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-list
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/ca.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date    : June 07 12:22:41 2024
Expiry Date   : June 07 12:22:41 2025
Issuer        : CN=cert-manager-webhook-ca
Subject       : CN=cert-manager-webhook-ca
Namespace     : cert-manager
Secret        : cm-cert-manager-webhook-ca
Renewal       : Automatic
Secret Type   : Opaque
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/tls.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date    : June 07 12:22:41 2024
Expiry Date   : June 07 12:22:41 2025
Issuer        : CN=cert-manager-webhook-ca
Subject       : CN=cert-manager-webhook-ca
Namespace     : cert-manager
Secret        : cm-cert-manager-webhook-ca
Renewal       : Automatic
Secret Type   : Opaque
+------------------------------------------------------------+

..etc

The command system certificate-show <certificate name> shows the full details of the certificate, the certificate name can be picked from system certificate-list output.

For example:

[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-show system-restapi-gui-certificate
Certificate:
    Residual Time: 84d
    Version: v3
    Serial Number: 0xf6de1076c4f523ae530b39730c61a769
    Issuer: CN=starlingx
    Validity:
        Not Before: June 07 12:25:25 2024
        Not After: September 05 12:25:25 2024
    Subject: CN=system-restapi-gui,O=starlingx,L=78269f12243d4b19b1bf5687e2359c5a
    Subject Public Key Info:
        key_size: (2048 bit)
    X509v3 extensions:
        X509v3 Key Usage:
            values: Digital Signature, Key Encipherment
            critical: True
        X509v3 Basic Constraints:
            CA: False
            critical: True
        X509v3 Authority Key Identifier:
            keyid: a783e3e1c720c9b5dc2537b07f90a49b0ecdf744
        X509v3 Subject Alternative Name:
            DNS: ['78269f12243d4b19b1bf5687e2359c5a.starlingx.local']
            IP Address: ['10.10.10.12']
    Signature Algorithm: sha256WithRSAEncryption
    Signature: 02ac2fe1e454ff0116fff400f24bb1845872b84d44ff47a40e3989d2085e0e306c903a1290f8f3bddf2cb320d5387ce64e4b50d8b3269ab70d6dbb760ecbd566f0fbf644c24f258cce4e0f1987e3636fe88a00ce99b416b47a372b28424367ceef9b04d52b279be2305070c6a92c848de6f50dd046876475c1604fdf630e72f47aba051b30983cf046b69f7c7ddb5fe396cf41955d40bc263640e2d85bba5a10602a7962c69397e30a3ebf6080df6aea2fa4ce380aa413ed89b96f3b3f3d54ee8ddaa477f5d41fd3d2f55231ebc35e76ae9f65db39e24fa07d0c2d7b4f5588daa8da92ff3fd03a240a7e7a70e31d619a1a659c709ed293451e111a316703264cf80a023acb0aa7790828c1508cf88aabf2c02b097d5f7afb077a7759b85a204bfc672c33bcbc07b6a16fc6f756721de043917e7a9de6ca38f99d421232a3302f03b762c3a9847d0a2aa25af47b39b2eca469c5f309a99931234551b7c29f9e119215970e30bb55ad4263f4745751fb927fb98c3c463a2f403686c90a6cac6db2f681e3e5c6951f43da1db8b7b2d9121a3bd49429ddbb72740a1f1a108e62e8add857f344d60cadfc47abf1343f166d33d7083331913538d2881dbd9216763427722e9db4f10cc9952fc5d2f0998e4453925d9b84f3c2394c825eeb1bb8c63948bb2bb8c27165f81f585a4d023d139a8413c235dd8d4cd8cae418f9764c66ad0e
    File Path: /etc/ssl/private/server-cert.pem
    Renewal: Automatic
    Namespace: deployment
    Secret: system-restapi-gui-certificate

The command system k8s-certificate-show <certficate name> shows the full details of the k8s certificate, the certificate name can be picked from system k8s-certificate-list output.

For example:

[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-show system-local-ca
Certificate:
    Residual Time: 3640d
    Version: v3
    Serial Number: 0x3cb901b2b670bf0996d2c4f52c6d809e061d03d4
    Issuer: CN=starlingx
    Validity:
        Not Before: June 03 09:26:57 2024
        Not After: June 01 09:26:57 2034
    Subject: CN=starlingx
    Subject Public Key Info:
        key_size: (4096 bit)
    X509v3 extensions:
        X509v3 Subject Alternative Name:
            DNS: ['starlingx']
        X509v3 Key Usage:
            values: Digital Signature, Key Encipherment
        X509v3 Basic Constraints:
            CA: True
            critical: True
    Signature Algorithm: sha256WithRSAEncryption
    Signature: af88723bb84c1f5b9ebe62e257564990be3b379e156e1c45203cbf10c05c09e03325b2f59c752a61a3289f32b2dbcc580bba16e13bc02137ff18b27c1f6e7ccc2a9e7243dcfaf7ea16ae0764fd30f915d95b428248be5bdcc4a9a8972d538ce2314e29339759b06f739ef06941af54450fc830aef5be9dd214962959aefc6b6dc22dba2ce2f87b5c763817c9d33bcf2c189e59fc7abad455aef3ad18525d9f8f47938b8d47056bcb513d414fe2f7713b6b8ee37e8999ea48c2529043ec7871fa079d7374b894a5410090c5fe8ad3e08b7b3649cac550b9ce732ec0e0739ac3de4c1eca8d83d3c44bf30841a1a469d5bfba5743f5f1d5260e73057027d4c5ad97a955d8a55f72733c941a30402f92454be97725acabba199a92a723a44aa1f32c86e274944641b5665f4d09ecae46d2d8b6ac100e690d763b1172406e9e3db0f6f3070fa66af43de449b4a1e4c34b2e3329c878138b2078c22facb940ade27372d17354f35dabf406ec7925dba4e60c49139fa99e6f4386eb245c3be5827dd6fea4988bdb11bb684da4d5584a87b7a479cded665de87f8b479fb81430f3bb6443e54051f477465343e1e3c77bb590ee6d87ce5b7f39bf417e047f7acc3ac7aff5e389b317bf0ef79c87f37fe951c06bc431afb450c69be8761b90fca5b46d936a521b728320f6073a9811334581ca977b7f75f7c5b02db5091edd220b77060273
    Namespace: cert-manager
    Secret: system-local-ca
    Renewal: Manual
    Secret Type: kubernetes.io/tls

The show-certs.sh script

Note

This script is deprecated and no longer maintained.

The show-certs.sh script is an alternative way that can be used to display a list of the specific certificates present on a StarlingX system with details such as expiry date, residual time, subject, issuer and renewal behaviour (manual or automatic).

The show-certs.sh command has the following options:

sudo show-certs.sh [-k] [-e <number-of-days>] [-h]

where:

By default, show-certs.sh command displays the platform-managed system certificates, and (highlighted in red) certificates requiring manual renewal, and certificates expiring within 90 days.

options:

-k displays certificates found in any Kubernetes SECRETS; this may include platform certificates and end-users’ certificates.

-e <number-of-days>. Changes to highlight (in red) certificates within <number-of-days> of expiry.

-h displays help

Note

This command can only be run locally on the active controller, in an SSH shell.

For example:

~(keystone_admin)]$ sudo show-certs.sh

registry.local  CERTIFICATE:
-----------------------------------------------------
Renewal         :  Manual
Filename        :  /etc/ssl/private/registry-cert.crt
Subject         :  /CN=registry.local
Issuer          :  /CN=registry.local
Issue Date      :  Aug 31 01:43:09 2021 GMT
Expiry Date     :  Aug 31 01:43:09 2022 GMT
Residual Time   :  341d
-----------------------------------------------------

local-openldap / deployment  /  system-openldap-local-certificate  CERTIFICATE:
------------------------------------------
Renewal        :  Automatic [Managed by Cert-Manager]
Namespace      :  deployment
Secret         :  system-openldap-local-certificate
Subject        :  CN = system-openldap
Issuer         :  CN = starlingx
Issue Date     :  Jul 6 16:15:30 2023 GMT
Expiry Date    :  Oct 4 16:15:30 2023 GMT
Residual Time  :  89d

… etc

For scalability reasons, in a Distributed cloud system, the Subcloud ICA certificates that are present on a SystemController are redirected to a file. The script displays the path to the file with a note at the end of the displayed output.

Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
size of the output.

For example,

~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt

Renewal                              Namespace  Secret                           Residual Time
---------------------------------------------------------------------------------------
Automatic [Managed by Cert-Manager]   dc-cert   subcloud1-adminep-ca-certificate   364d
Automatic [Managed by Cert-Manager]   dc-cert   subcloud10-adminep-ca-certificate  364d
Automatic [Managed by Cert-Manager]   dc-cert   subcloud100-adminep-ca-certificate 364d
---------------------------------------------------------------------------------------