Display Certificates Installed on a System¶
The system certificate-list command¶
The system certificate-list
command can be used to list the platform
certificates present on the StarlingX system with details such as expiry date,
residual time, subject, issuer and renewal behaviour (manual or automatic).
The system certificate-list command has the following options:
system certificate-list --expired
lists the expired certificates.system certificate-list --soon_to_expiry <N>
lists the certificates expiring in given <N> days.
For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-list
+------------------------------------------------------------+
admin_conf_client
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 03 09:26:57 2024
Expiry Date : June 07 12:17:19 2025
Issuer : CN=starlingx
Subject : CN=kubernetes-admin,O=system:masters
Renewal : Automatic
File Path : /etc/kubernetes/admin.conf
+------------------------------------------------------------+
apiserver
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 03 09:26:57 2024
Expiry Date : June 07 12:17:17 2025
Issuer : CN=starlingx
Subject : CN=kube-apiserver
Renewal : Automatic
File Path : /etc/kubernetes/pki/apiserver.crt
+------------------------------------------------------------+
..etc
The command system k8s-certificate-list
can be used to list all k8s
tls/opaque type certificates present on the StarlingX system with details such as
expiry date, residual time, subject, issuer and renewal behaviour (manual or
automatic).
The system k8s-certificate-list command has the following options:
system k8s-certificate-list --expired
lists the expired certificates.system k8s-certificate-list --soon_to_expiry <N>
lists the certificates expiring in given <N> days.
For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-list
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/ca.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 07 12:22:41 2024
Expiry Date : June 07 12:22:41 2025
Issuer : CN=cert-manager-webhook-ca
Subject : CN=cert-manager-webhook-ca
Namespace : cert-manager
Secret : cm-cert-manager-webhook-ca
Renewal : Automatic
Secret Type : Opaque
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/tls.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 07 12:22:41 2024
Expiry Date : June 07 12:22:41 2025
Issuer : CN=cert-manager-webhook-ca
Subject : CN=cert-manager-webhook-ca
Namespace : cert-manager
Secret : cm-cert-manager-webhook-ca
Renewal : Automatic
Secret Type : Opaque
+------------------------------------------------------------+
..etc
The command system certificate-show <certificate name>
shows the full
details of the certificate, the certificate name can be picked from system
certificate-list
output.
For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-show system-restapi-gui-certificate
Certificate:
Residual Time: 84d
Version: v3
Serial Number: 0xf6de1076c4f523ae530b39730c61a769
Issuer: CN=starlingx
Validity:
Not Before: June 07 12:25:25 2024
Not After: September 05 12:25:25 2024
Subject: CN=system-restapi-gui,O=starlingx,L=78269f12243d4b19b1bf5687e2359c5a
Subject Public Key Info:
key_size: (2048 bit)
X509v3 extensions:
X509v3 Key Usage:
values: Digital Signature, Key Encipherment
critical: True
X509v3 Basic Constraints:
CA: False
critical: True
X509v3 Authority Key Identifier:
keyid: a783e3e1c720c9b5dc2537b07f90a49b0ecdf744
X509v3 Subject Alternative Name:
DNS: ['78269f12243d4b19b1bf5687e2359c5a.starlingx.local']
IP Address: ['10.10.10.12']
Signature Algorithm: sha256WithRSAEncryption
Signature: 02ac2fe1e454ff0116fff400f24bb1845872b84d44ff47a40e3989d2085e0e306c903a1290f8f3bddf2cb320d5387ce64e4b50d8b3269ab70d6dbb760ecbd566f0fbf644c24f258cce4e0f1987e3636fe88a00ce99b416b47a372b28424367ceef9b04d52b279be2305070c6a92c848de6f50dd046876475c1604fdf630e72f47aba051b30983cf046b69f7c7ddb5fe396cf41955d40bc263640e2d85bba5a10602a7962c69397e30a3ebf6080df6aea2fa4ce380aa413ed89b96f3b3f3d54ee8ddaa477f5d41fd3d2f55231ebc35e76ae9f65db39e24fa07d0c2d7b4f5588daa8da92ff3fd03a240a7e7a70e31d619a1a659c709ed293451e111a316703264cf80a023acb0aa7790828c1508cf88aabf2c02b097d5f7afb077a7759b85a204bfc672c33bcbc07b6a16fc6f756721de043917e7a9de6ca38f99d421232a3302f03b762c3a9847d0a2aa25af47b39b2eca469c5f309a99931234551b7c29f9e119215970e30bb55ad4263f4745751fb927fb98c3c463a2f403686c90a6cac6db2f681e3e5c6951f43da1db8b7b2d9121a3bd49429ddbb72740a1f1a108e62e8add857f344d60cadfc47abf1343f166d33d7083331913538d2881dbd9216763427722e9db4f10cc9952fc5d2f0998e4453925d9b84f3c2394c825eeb1bb8c63948bb2bb8c27165f81f585a4d023d139a8413c235dd8d4cd8cae418f9764c66ad0e
File Path: /etc/ssl/private/server-cert.pem
Renewal: Automatic
Namespace: deployment
Secret: system-restapi-gui-certificate
The command system k8s-certificate-show <certficate name>
shows the full
details of the k8s certificate, the certificate name can be picked from system
k8s-certificate-list
output.
For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-show system-local-ca
Certificate:
Residual Time: 3640d
Version: v3
Serial Number: 0x3cb901b2b670bf0996d2c4f52c6d809e061d03d4
Issuer: CN=starlingx
Validity:
Not Before: June 03 09:26:57 2024
Not After: June 01 09:26:57 2034
Subject: CN=starlingx
Subject Public Key Info:
key_size: (4096 bit)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: ['starlingx']
X509v3 Key Usage:
values: Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA: True
critical: True
Signature Algorithm: sha256WithRSAEncryption
Signature: af88723bb84c1f5b9ebe62e257564990be3b379e156e1c45203cbf10c05c09e03325b2f59c752a61a3289f32b2dbcc580bba16e13bc02137ff18b27c1f6e7ccc2a9e7243dcfaf7ea16ae0764fd30f915d95b428248be5bdcc4a9a8972d538ce2314e29339759b06f739ef06941af54450fc830aef5be9dd214962959aefc6b6dc22dba2ce2f87b5c763817c9d33bcf2c189e59fc7abad455aef3ad18525d9f8f47938b8d47056bcb513d414fe2f7713b6b8ee37e8999ea48c2529043ec7871fa079d7374b894a5410090c5fe8ad3e08b7b3649cac550b9ce732ec0e0739ac3de4c1eca8d83d3c44bf30841a1a469d5bfba5743f5f1d5260e73057027d4c5ad97a955d8a55f72733c941a30402f92454be97725acabba199a92a723a44aa1f32c86e274944641b5665f4d09ecae46d2d8b6ac100e690d763b1172406e9e3db0f6f3070fa66af43de449b4a1e4c34b2e3329c878138b2078c22facb940ade27372d17354f35dabf406ec7925dba4e60c49139fa99e6f4386eb245c3be5827dd6fea4988bdb11bb684da4d5584a87b7a479cded665de87f8b479fb81430f3bb6443e54051f477465343e1e3c77bb590ee6d87ce5b7f39bf417e047f7acc3ac7aff5e389b317bf0ef79c87f37fe951c06bc431afb450c69be8761b90fca5b46d936a521b728320f6073a9811334581ca977b7f75f7c5b02db5091edd220b77060273
Namespace: cert-manager
Secret: system-local-ca
Renewal: Manual
Secret Type: kubernetes.io/tls
The show-certs.sh script¶
Note
This script is deprecated and no longer maintained.
The show-certs.sh
script is an alternative way that can be used to display
a list of the specific certificates present on a StarlingX system with details
such as expiry date, residual time, subject, issuer and renewal behaviour
(manual or automatic).
The show-certs.sh command has the following options:
sudo show-certs.sh [-k] [-e <number-of-days>] [-h]
where:
By default, show-certs.sh command displays the platform-managed system certificates, and (highlighted in red) certificates requiring manual renewal, and certificates expiring within 90 days.
options:
-k
displays certificates found in any Kubernetes SECRETS; this may include
platform certificates and end-users’ certificates.
-e
<number-of-days>. Changes to highlight (in red) certificates within
<number-of-days> of expiry.
-h
displays help
Note
This command can only be run locally on the active controller, in an SSH shell.
For example:
~(keystone_admin)]$ sudo show-certs.sh
registry.local CERTIFICATE:
-----------------------------------------------------
Renewal : Manual
Filename : /etc/ssl/private/registry-cert.crt
Subject : /CN=registry.local
Issuer : /CN=registry.local
Issue Date : Aug 31 01:43:09 2021 GMT
Expiry Date : Aug 31 01:43:09 2022 GMT
Residual Time : 341d
-----------------------------------------------------
local-openldap / deployment / system-openldap-local-certificate CERTIFICATE:
------------------------------------------
Renewal : Automatic [Managed by Cert-Manager]
Namespace : deployment
Secret : system-openldap-local-certificate
Subject : CN = system-openldap
Issuer : CN = starlingx
Issue Date : Jul 6 16:15:30 2023 GMT
Expiry Date : Oct 4 16:15:30 2023 GMT
Residual Time : 89d
… etc
For scalability reasons, in a Distributed cloud system, the Subcloud ICA certificates that are present on a SystemController are redirected to a file. The script displays the path to the file with a note at the end of the displayed output.
Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
size of the output.
For example,
~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
Renewal Namespace Secret Residual Time
---------------------------------------------------------------------------------------
Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d
Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
---------------------------------------------------------------------------------------