Updating the Display Certificates Installed on a System

Security Guide Reference - Updating the Display Certificates Installed on a System section to show that:
- the primary way to display certificates is with the api/cli, system certificate-list/show
- the alternate (but deprecated) way is with show-certs.sh

Change-Id: I0facb8dd5ec3e82b6b2bb0bead4c2aaf1689d5d5
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
This commit is contained in:
Suzana Fernandes 2024-11-14 18:29:38 +00:00 committed by Suzana Barude Fernandes
parent ad736f1964
commit 36eb508cf7

View File

@ -6,92 +6,10 @@
Display Certificates Installed on a System Display Certificates Installed on a System
------------------------------------------ ------------------------------------------
The script **show-certs.sh** can be used to display a list of the specific The system certificate-list command
certificates present on a |prod| system with details such as expiry -----------------------------------
date, residual time, subject, issuer and renewal behaviour (manual or
automatic).
The :command:`show-certs.sh` command has the following options: The ``system certificate-list`` command can be used to list the platform
**sudo show-certs.sh [-k] [-e <number-of-days>] [-h]**
where:
By default, :command:`show-certs.sh` command displays the platform-managed
system certificates, and (highlighted in red) certificates requiring manual
renewal, and certificates expiring within 90 days.
options:
``-k`` displays certificates found in any Kubernetes SECRETS; this may include
platform certificates and end-users' certificates.
``-e`` <number-of-days>. Changes to highlight (in red) certificates within
<number-of-days> of expiry.
``-h`` displays help
.. note::
This command can only be run locally on the active controller, in an SSH
shell.
For example:
.. code-block:: none
~(keystone_admin)]$ sudo show-certs.sh
registry.local CERTIFICATE:
-----------------------------------------------------
Renewal : Manual
Filename : /etc/ssl/private/registry-cert.crt
Subject : /CN=registry.local
Issuer : /CN=registry.local
Issue Date : Aug 31 01:43:09 2021 GMT
Expiry Date : Aug 31 01:43:09 2022 GMT
Residual Time : 341d
-----------------------------------------------------
local-openldap / deployment / system-openldap-local-certificate CERTIFICATE:
------------------------------------------
Renewal : Automatic [Managed by Cert-Manager]
Namespace : deployment
Secret : system-openldap-local-certificate
Subject : CN = system-openldap
Issuer : CN = starlingx
Issue Date : Jul 6 16:15:30 2023 GMT
Expiry Date : Oct 4 16:15:30 2023 GMT
Residual Time : 89d
… etc
For scalability reasons, in a Distributed cloud system, the Subcloud ICA
certificates that are present on a SystemController are redirected to a file.
The script displays the path to the file with a note at the end of the
displayed output.
.. code-block:: none
Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
size of the output.
For example,
.. code-block:: none
~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
Renewal Namespace Secret Residual Time
---------------------------------------------------------------------------------------
Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d
Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
---------------------------------------------------------------------------------------
The command ``system certificate-list`` can be used to list the platform
certificates present on the |prod| system with details such as expiry date, certificates present on the |prod| system with details such as expiry date,
residual time, subject, issuer and renewal behaviour (manual or automatic). residual time, subject, issuer and renewal behaviour (manual or automatic).
@ -250,3 +168,96 @@ For example:
Secret: system-local-ca Secret: system-local-ca
Renewal: Manual Renewal: Manual
Secret Type: kubernetes.io/tls Secret Type: kubernetes.io/tls
The show-certs.sh script
------------------------
.. note::
This script is deprecated and no longer maintained.
The ``show-certs.sh`` script is an alternative way that can be used to display
a list of the specific certificates present on a |prod| system with details
such as expiry date, residual time, subject, issuer and renewal behaviour
(manual or automatic).
The :command:`show-certs.sh` command has the following options:
**sudo show-certs.sh [-k] [-e <number-of-days>] [-h]**
where:
By default, :command:`show-certs.sh` command displays the platform-managed
system certificates, and (highlighted in red) certificates requiring manual
renewal, and certificates expiring within 90 days.
options:
``-k`` displays certificates found in any Kubernetes SECRETS; this may include
platform certificates and end-users' certificates.
``-e`` <number-of-days>. Changes to highlight (in red) certificates within
<number-of-days> of expiry.
``-h`` displays help
.. note::
This command can only be run locally on the active controller, in an SSH
shell.
For example:
.. code-block:: none
~(keystone_admin)]$ sudo show-certs.sh
registry.local CERTIFICATE:
-----------------------------------------------------
Renewal : Manual
Filename : /etc/ssl/private/registry-cert.crt
Subject : /CN=registry.local
Issuer : /CN=registry.local
Issue Date : Aug 31 01:43:09 2021 GMT
Expiry Date : Aug 31 01:43:09 2022 GMT
Residual Time : 341d
-----------------------------------------------------
local-openldap / deployment / system-openldap-local-certificate CERTIFICATE:
------------------------------------------
Renewal : Automatic [Managed by Cert-Manager]
Namespace : deployment
Secret : system-openldap-local-certificate
Subject : CN = system-openldap
Issuer : CN = starlingx
Issue Date : Jul 6 16:15:30 2023 GMT
Expiry Date : Oct 4 16:15:30 2023 GMT
Residual Time : 89d
… etc
For scalability reasons, in a Distributed cloud system, the Subcloud ICA
certificates that are present on a SystemController are redirected to a file.
The script displays the path to the file with a note at the end of the
displayed output.
.. code-block:: none
Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
size of the output.
For example,
.. code-block:: none
~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
Renewal Namespace Secret Residual Time
---------------------------------------------------------------------------------------
Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d
Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
---------------------------------------------------------------------------------------