Updating the Display Certificates Installed on a System

Security Guide Reference - Updating the Display Certificates Installed on a System section to show that: - the primary way to display certificates is with the api/cli, system certificate-list/show - the alternate (but deprecated) way is with show-certs.sh Change-Id: I0facb8dd5ec3e82b6b2bb0bead4c2aaf1689d5d5 Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-11-14 18:29:38 +00:00 · 2024-11-14 18:29:38 +00:00 · 36eb508cf7
commit 36eb508cf7
parent ad736f1964
1 changed files with 97 additions and 86 deletions
--- a/doc/source/security/kubernetes/utility-script-to-display-certificates.rst
+++ b/doc/source/security/kubernetes/utility-script-to-display-certificates.rst
@ -6,92 +6,10 @@
 Display Certificates Installed on a System
 ------------------------------------------

-The script **show-certs.sh** can be used to display a list of the specific
-certificates present on a |prod| system with details such as expiry
-date, residual time, subject, issuer and renewal behaviour (manual or
-automatic).
+The system certificate-list command
+-----------------------------------

-The :command:`show-certs.sh` command has the following options:
-
-**sudo show-certs.sh [-k] [-e <number-of-days>] [-h]**
-
-where:
-
-By default, :command:`show-certs.sh` command displays the platform-managed
-system certificates, and (highlighted in red) certificates requiring manual
-renewal, and certificates expiring within 90 days.
-
-options:
-
-``-k`` displays certificates found in any Kubernetes SECRETS; this may include
-platform certificates and end-users' certificates.
-
-``-e`` <number-of-days>. Changes to highlight (in red) certificates within
-<number-of-days> of expiry.
-
-``-h`` displays help
-
-.. note::
-
-    This command can only be run locally on the active controller, in an SSH
-    shell.
-
-For example:
-
-.. code-block:: none
-
-    ~(keystone_admin)]$ sudo show-certs.sh
-
-    registry.local  CERTIFICATE:
-    -----------------------------------------------------
-    Renewal 	    :  Manual
-    Filename	    :  /etc/ssl/private/registry-cert.crt
-    Subject         :  /CN=registry.local
-    Issuer          :  /CN=registry.local
-    Issue Date	    :  Aug 31 01:43:09 2021 GMT
-    Expiry Date	    :  Aug 31 01:43:09 2022 GMT
-    Residual Time   :  341d
-    -----------------------------------------------------
-
-    local-openldap / deployment  /  system-openldap-local-certificate  CERTIFICATE:
-    ------------------------------------------
-    Renewal        :  Automatic [Managed by Cert-Manager]
-    Namespace      :  deployment
-    Secret         :  system-openldap-local-certificate
-    Subject        :  CN = system-openldap
-    Issuer         :  CN = starlingx
-    Issue Date     :  Jul 6 16:15:30 2023 GMT
-    Expiry Date    :  Oct 4 16:15:30 2023 GMT
-    Residual Time  :  89d
-
-    … etc
-
-
-For scalability reasons, in a Distributed cloud system, the Subcloud ICA
-certificates that are present on a SystemController are redirected to a file.
-The script displays the path to the file with a note at the end of the
-displayed output.
-
-.. code-block:: none
-
-    Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
-    /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
-    size of the output.
-
-For example,
-
-.. code-block:: none
-
-    ~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
-
-    Renewal                              Namespace  Secret		             Residual Time
-    ---------------------------------------------------------------------------------------
-    Automatic [Managed by Cert-Manager]   dc-cert   subcloud1-adminep-ca-certificate   364d
-    Automatic [Managed by Cert-Manager]   dc-cert   subcloud10-adminep-ca-certificate  364d
-    Automatic [Managed by Cert-Manager]   dc-cert   subcloud100-adminep-ca-certificate 364d
-    ---------------------------------------------------------------------------------------
-
-The command ``system certificate-list`` can be used to list the platform
+The ``system certificate-list``  command can be used to list the platform
 certificates present on the |prod| system with details such as expiry date,
 residual time, subject, issuer and renewal behaviour (manual or automatic).

@ -249,4 +167,97 @@ For example:
        Namespace: cert-manager
        Secret: system-local-ca
        Renewal: Manual
-        Secret Type: kubernetes.io/tls
+        Secret Type: kubernetes.io/tls
+
+
+The show-certs.sh script
+------------------------
+
+.. note::
+    This script is deprecated and no longer maintained.
+
+The ``show-certs.sh`` script is an alternative way that can be used to display
+a list of the specific certificates present on a |prod| system with details
+such as expiry date, residual time, subject, issuer and renewal behaviour
+(manual or automatic).
+
+The :command:`show-certs.sh` command has the following options:
+
+**sudo show-certs.sh [-k] [-e <number-of-days>] [-h]**
+
+where:
+
+By default, :command:`show-certs.sh` command displays the platform-managed
+system certificates, and (highlighted in red) certificates requiring manual
+renewal, and certificates expiring within 90 days.
+
+options:
+
+``-k`` displays certificates found in any Kubernetes SECRETS; this may include
+platform certificates and end-users' certificates.
+
+``-e`` <number-of-days>. Changes to highlight (in red) certificates within
+<number-of-days> of expiry.
+
+``-h`` displays help
+
+.. note::
+
+    This command can only be run locally on the active controller, in an SSH
+    shell.
+
+For example:
+
+.. code-block:: none
+
+    ~(keystone_admin)]$ sudo show-certs.sh
+
+    registry.local  CERTIFICATE:
+    -----------------------------------------------------
+    Renewal 	    :  Manual
+    Filename	    :  /etc/ssl/private/registry-cert.crt
+    Subject         :  /CN=registry.local
+    Issuer          :  /CN=registry.local
+    Issue Date	    :  Aug 31 01:43:09 2021 GMT
+    Expiry Date	    :  Aug 31 01:43:09 2022 GMT
+    Residual Time   :  341d
+    -----------------------------------------------------
+
+    local-openldap / deployment  /  system-openldap-local-certificate  CERTIFICATE:
+    ------------------------------------------
+    Renewal        :  Automatic [Managed by Cert-Manager]
+    Namespace      :  deployment
+    Secret         :  system-openldap-local-certificate
+    Subject        :  CN = system-openldap
+    Issuer         :  CN = starlingx
+    Issue Date     :  Jul 6 16:15:30 2023 GMT
+    Expiry Date    :  Oct 4 16:15:30 2023 GMT
+    Residual Time  :  89d
+
+    … etc
+
+
+For scalability reasons, in a Distributed cloud system, the Subcloud ICA
+certificates that are present on a SystemController are redirected to a file.
+The script displays the path to the file with a note at the end of the
+displayed output.
+
+.. code-block:: none
+
+    Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
+    /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
+    size of the output.
+
+For example,
+
+.. code-block:: none
+
+    ~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
+
+    Renewal                              Namespace  Secret		             Residual Time
+    ---------------------------------------------------------------------------------------
+    Automatic [Managed by Cert-Manager]   dc-cert   subcloud1-adminep-ca-certificate   364d
+    Automatic [Managed by Cert-Manager]   dc-cert   subcloud10-adminep-ca-certificate  364d
+    Automatic [Managed by Cert-Manager]   dc-cert   subcloud100-adminep-ca-certificate 364d
+    ---------------------------------------------------------------------------------------
+