From 36eb508cf773087ae94babb11db8dacfaba7a066 Mon Sep 17 00:00:00 2001 From: Suzana Fernandes Date: Thu, 14 Nov 2024 18:29:38 +0000 Subject: [PATCH] Updating the Display Certificates Installed on a System Security Guide Reference - Updating the Display Certificates Installed on a System section to show that: - the primary way to display certificates is with the api/cli, system certificate-list/show - the alternate (but deprecated) way is with show-certs.sh Change-Id: I0facb8dd5ec3e82b6b2bb0bead4c2aaf1689d5d5 Signed-off-by: Suzana Fernandes --- ...utility-script-to-display-certificates.rst | 183 ++++++++++-------- 1 file changed, 97 insertions(+), 86 deletions(-) diff --git a/doc/source/security/kubernetes/utility-script-to-display-certificates.rst b/doc/source/security/kubernetes/utility-script-to-display-certificates.rst index 055d87a6b..cd296a133 100644 --- a/doc/source/security/kubernetes/utility-script-to-display-certificates.rst +++ b/doc/source/security/kubernetes/utility-script-to-display-certificates.rst @@ -6,92 +6,10 @@ Display Certificates Installed on a System ------------------------------------------ -The script **show-certs.sh** can be used to display a list of the specific -certificates present on a |prod| system with details such as expiry -date, residual time, subject, issuer and renewal behaviour (manual or -automatic). +The system certificate-list command +----------------------------------- -The :command:`show-certs.sh` command has the following options: - -**sudo show-certs.sh [-k] [-e ] [-h]** - -where: - -By default, :command:`show-certs.sh` command displays the platform-managed -system certificates, and (highlighted in red) certificates requiring manual -renewal, and certificates expiring within 90 days. - -options: - -``-k`` displays certificates found in any Kubernetes SECRETS; this may include -platform certificates and end-users' certificates. - -``-e`` . Changes to highlight (in red) certificates within - of expiry. - -``-h`` displays help - -.. note:: - - This command can only be run locally on the active controller, in an SSH - shell. - -For example: - -.. code-block:: none - - ~(keystone_admin)]$ sudo show-certs.sh - - registry.local CERTIFICATE: - ----------------------------------------------------- - Renewal : Manual - Filename : /etc/ssl/private/registry-cert.crt - Subject : /CN=registry.local - Issuer : /CN=registry.local - Issue Date : Aug 31 01:43:09 2021 GMT - Expiry Date : Aug 31 01:43:09 2022 GMT - Residual Time : 341d - ----------------------------------------------------- - - local-openldap / deployment / system-openldap-local-certificate CERTIFICATE: - ------------------------------------------ - Renewal : Automatic [Managed by Cert-Manager] - Namespace : deployment - Secret : system-openldap-local-certificate - Subject : CN = system-openldap - Issuer : CN = starlingx - Issue Date : Jul 6 16:15:30 2023 GMT - Expiry Date : Oct 4 16:15:30 2023 GMT - Residual Time : 89d - - … etc - - -For scalability reasons, in a Distributed cloud system, the Subcloud ICA -certificates that are present on a SystemController are redirected to a file. -The script displays the path to the file with a note at the end of the -displayed output. - -.. code-block:: none - - Subcloud ICA certificates (*-adminep-ca-certificate) are saved to - /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the - size of the output. - -For example, - -.. code-block:: none - - ~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt - - Renewal Namespace Secret Residual Time - --------------------------------------------------------------------------------------- - Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d - Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d - Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d - --------------------------------------------------------------------------------------- - -The command ``system certificate-list`` can be used to list the platform +The ``system certificate-list`` command can be used to list the platform certificates present on the |prod| system with details such as expiry date, residual time, subject, issuer and renewal behaviour (manual or automatic). @@ -249,4 +167,97 @@ For example: Namespace: cert-manager Secret: system-local-ca Renewal: Manual - Secret Type: kubernetes.io/tls \ No newline at end of file + Secret Type: kubernetes.io/tls + + +The show-certs.sh script +------------------------ + +.. note:: + This script is deprecated and no longer maintained. + +The ``show-certs.sh`` script is an alternative way that can be used to display +a list of the specific certificates present on a |prod| system with details +such as expiry date, residual time, subject, issuer and renewal behaviour +(manual or automatic). + +The :command:`show-certs.sh` command has the following options: + +**sudo show-certs.sh [-k] [-e ] [-h]** + +where: + +By default, :command:`show-certs.sh` command displays the platform-managed +system certificates, and (highlighted in red) certificates requiring manual +renewal, and certificates expiring within 90 days. + +options: + +``-k`` displays certificates found in any Kubernetes SECRETS; this may include +platform certificates and end-users' certificates. + +``-e`` . Changes to highlight (in red) certificates within + of expiry. + +``-h`` displays help + +.. note:: + + This command can only be run locally on the active controller, in an SSH + shell. + +For example: + +.. code-block:: none + + ~(keystone_admin)]$ sudo show-certs.sh + + registry.local CERTIFICATE: + ----------------------------------------------------- + Renewal : Manual + Filename : /etc/ssl/private/registry-cert.crt + Subject : /CN=registry.local + Issuer : /CN=registry.local + Issue Date : Aug 31 01:43:09 2021 GMT + Expiry Date : Aug 31 01:43:09 2022 GMT + Residual Time : 341d + ----------------------------------------------------- + + local-openldap / deployment / system-openldap-local-certificate CERTIFICATE: + ------------------------------------------ + Renewal : Automatic [Managed by Cert-Manager] + Namespace : deployment + Secret : system-openldap-local-certificate + Subject : CN = system-openldap + Issuer : CN = starlingx + Issue Date : Jul 6 16:15:30 2023 GMT + Expiry Date : Oct 4 16:15:30 2023 GMT + Residual Time : 89d + + … etc + + +For scalability reasons, in a Distributed cloud system, the Subcloud ICA +certificates that are present on a SystemController are redirected to a file. +The script displays the path to the file with a note at the end of the +displayed output. + +.. code-block:: none + + Subcloud ICA certificates (*-adminep-ca-certificate) are saved to + /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the + size of the output. + +For example, + +.. code-block:: none + + ~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt + + Renewal Namespace Secret Residual Time + --------------------------------------------------------------------------------------- + Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d + Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d + Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d + --------------------------------------------------------------------------------------- +