Updating the Display Certificates Installed on a System
Security Guide Reference - Updating the Display Certificates Installed on a System section to show that: - the primary way to display certificates is with the api/cli, system certificate-list/show - the alternate (but deprecated) way is with show-certs.sh Change-Id: I0facb8dd5ec3e82b6b2bb0bead4c2aaf1689d5d5 Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
This commit is contained in:
parent
ad736f1964
commit
36eb508cf7
@ -6,92 +6,10 @@
|
|||||||
Display Certificates Installed on a System
|
Display Certificates Installed on a System
|
||||||
------------------------------------------
|
------------------------------------------
|
||||||
|
|
||||||
The script **show-certs.sh** can be used to display a list of the specific
|
The system certificate-list command
|
||||||
certificates present on a |prod| system with details such as expiry
|
-----------------------------------
|
||||||
date, residual time, subject, issuer and renewal behaviour (manual or
|
|
||||||
automatic).
|
|
||||||
|
|
||||||
The :command:`show-certs.sh` command has the following options:
|
The ``system certificate-list`` command can be used to list the platform
|
||||||
|
|
||||||
**sudo show-certs.sh [-k] [-e <number-of-days>] [-h]**
|
|
||||||
|
|
||||||
where:
|
|
||||||
|
|
||||||
By default, :command:`show-certs.sh` command displays the platform-managed
|
|
||||||
system certificates, and (highlighted in red) certificates requiring manual
|
|
||||||
renewal, and certificates expiring within 90 days.
|
|
||||||
|
|
||||||
options:
|
|
||||||
|
|
||||||
``-k`` displays certificates found in any Kubernetes SECRETS; this may include
|
|
||||||
platform certificates and end-users' certificates.
|
|
||||||
|
|
||||||
``-e`` <number-of-days>. Changes to highlight (in red) certificates within
|
|
||||||
<number-of-days> of expiry.
|
|
||||||
|
|
||||||
``-h`` displays help
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
This command can only be run locally on the active controller, in an SSH
|
|
||||||
shell.
|
|
||||||
|
|
||||||
For example:
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
~(keystone_admin)]$ sudo show-certs.sh
|
|
||||||
|
|
||||||
registry.local CERTIFICATE:
|
|
||||||
-----------------------------------------------------
|
|
||||||
Renewal : Manual
|
|
||||||
Filename : /etc/ssl/private/registry-cert.crt
|
|
||||||
Subject : /CN=registry.local
|
|
||||||
Issuer : /CN=registry.local
|
|
||||||
Issue Date : Aug 31 01:43:09 2021 GMT
|
|
||||||
Expiry Date : Aug 31 01:43:09 2022 GMT
|
|
||||||
Residual Time : 341d
|
|
||||||
-----------------------------------------------------
|
|
||||||
|
|
||||||
local-openldap / deployment / system-openldap-local-certificate CERTIFICATE:
|
|
||||||
------------------------------------------
|
|
||||||
Renewal : Automatic [Managed by Cert-Manager]
|
|
||||||
Namespace : deployment
|
|
||||||
Secret : system-openldap-local-certificate
|
|
||||||
Subject : CN = system-openldap
|
|
||||||
Issuer : CN = starlingx
|
|
||||||
Issue Date : Jul 6 16:15:30 2023 GMT
|
|
||||||
Expiry Date : Oct 4 16:15:30 2023 GMT
|
|
||||||
Residual Time : 89d
|
|
||||||
|
|
||||||
… etc
|
|
||||||
|
|
||||||
|
|
||||||
For scalability reasons, in a Distributed cloud system, the Subcloud ICA
|
|
||||||
certificates that are present on a SystemController are redirected to a file.
|
|
||||||
The script displays the path to the file with a note at the end of the
|
|
||||||
displayed output.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
|
|
||||||
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
|
|
||||||
size of the output.
|
|
||||||
|
|
||||||
For example,
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
|
|
||||||
|
|
||||||
Renewal Namespace Secret Residual Time
|
|
||||||
---------------------------------------------------------------------------------------
|
|
||||||
Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d
|
|
||||||
Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d
|
|
||||||
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
|
|
||||||
---------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
The command ``system certificate-list`` can be used to list the platform
|
|
||||||
certificates present on the |prod| system with details such as expiry date,
|
certificates present on the |prod| system with details such as expiry date,
|
||||||
residual time, subject, issuer and renewal behaviour (manual or automatic).
|
residual time, subject, issuer and renewal behaviour (manual or automatic).
|
||||||
|
|
||||||
@ -250,3 +168,96 @@ For example:
|
|||||||
Secret: system-local-ca
|
Secret: system-local-ca
|
||||||
Renewal: Manual
|
Renewal: Manual
|
||||||
Secret Type: kubernetes.io/tls
|
Secret Type: kubernetes.io/tls
|
||||||
|
|
||||||
|
|
||||||
|
The show-certs.sh script
|
||||||
|
------------------------
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
This script is deprecated and no longer maintained.
|
||||||
|
|
||||||
|
The ``show-certs.sh`` script is an alternative way that can be used to display
|
||||||
|
a list of the specific certificates present on a |prod| system with details
|
||||||
|
such as expiry date, residual time, subject, issuer and renewal behaviour
|
||||||
|
(manual or automatic).
|
||||||
|
|
||||||
|
The :command:`show-certs.sh` command has the following options:
|
||||||
|
|
||||||
|
**sudo show-certs.sh [-k] [-e <number-of-days>] [-h]**
|
||||||
|
|
||||||
|
where:
|
||||||
|
|
||||||
|
By default, :command:`show-certs.sh` command displays the platform-managed
|
||||||
|
system certificates, and (highlighted in red) certificates requiring manual
|
||||||
|
renewal, and certificates expiring within 90 days.
|
||||||
|
|
||||||
|
options:
|
||||||
|
|
||||||
|
``-k`` displays certificates found in any Kubernetes SECRETS; this may include
|
||||||
|
platform certificates and end-users' certificates.
|
||||||
|
|
||||||
|
``-e`` <number-of-days>. Changes to highlight (in red) certificates within
|
||||||
|
<number-of-days> of expiry.
|
||||||
|
|
||||||
|
``-h`` displays help
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
This command can only be run locally on the active controller, in an SSH
|
||||||
|
shell.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
~(keystone_admin)]$ sudo show-certs.sh
|
||||||
|
|
||||||
|
registry.local CERTIFICATE:
|
||||||
|
-----------------------------------------------------
|
||||||
|
Renewal : Manual
|
||||||
|
Filename : /etc/ssl/private/registry-cert.crt
|
||||||
|
Subject : /CN=registry.local
|
||||||
|
Issuer : /CN=registry.local
|
||||||
|
Issue Date : Aug 31 01:43:09 2021 GMT
|
||||||
|
Expiry Date : Aug 31 01:43:09 2022 GMT
|
||||||
|
Residual Time : 341d
|
||||||
|
-----------------------------------------------------
|
||||||
|
|
||||||
|
local-openldap / deployment / system-openldap-local-certificate CERTIFICATE:
|
||||||
|
------------------------------------------
|
||||||
|
Renewal : Automatic [Managed by Cert-Manager]
|
||||||
|
Namespace : deployment
|
||||||
|
Secret : system-openldap-local-certificate
|
||||||
|
Subject : CN = system-openldap
|
||||||
|
Issuer : CN = starlingx
|
||||||
|
Issue Date : Jul 6 16:15:30 2023 GMT
|
||||||
|
Expiry Date : Oct 4 16:15:30 2023 GMT
|
||||||
|
Residual Time : 89d
|
||||||
|
|
||||||
|
… etc
|
||||||
|
|
||||||
|
|
||||||
|
For scalability reasons, in a Distributed cloud system, the Subcloud ICA
|
||||||
|
certificates that are present on a SystemController are redirected to a file.
|
||||||
|
The script displays the path to the file with a note at the end of the
|
||||||
|
displayed output.
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
|
||||||
|
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
|
||||||
|
size of the output.
|
||||||
|
|
||||||
|
For example,
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
|
||||||
|
|
||||||
|
Renewal Namespace Secret Residual Time
|
||||||
|
---------------------------------------------------------------------------------------
|
||||||
|
Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d
|
||||||
|
Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d
|
||||||
|
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
|
||||||
|
---------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user