From 1b2c274e1787da33e402ddad9eb2ebf35735d402 Mon Sep 17 00:00:00 2001
From: Juanita-Balaraj <juanita.balaraj@windriver.com>
Date: Thu, 23 Sep 2021 12:52:15 -0400
Subject: [PATCH] Added new topic with Utility script added to display
 certificates installed on a system

updated Patchset 5 comments
Updated Patchset 4 comments
Updated Patchset 1 comments
Story: https://storyboard.openstack.org/#!/story/2009190
Task:  43396

Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
Change-Id: I82bcb12060cfa0c0d4ed26b352d4d5391f66aa91
Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
---
 doc/source/security/kubernetes/index.rst      |  1 +
 ...utility-script-to-display-certificates.rst | 78 +++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 doc/source/security/kubernetes/utility-script-to-display-certificates.rst

diff --git a/doc/source/security/kubernetes/index.rst b/doc/source/security/kubernetes/index.rst
index dbf6040ca..0da14b289 100644
--- a/doc/source/security/kubernetes/index.rst
+++ b/doc/source/security/kubernetes/index.rst
@@ -99,6 +99,7 @@ Secure HTTPS Connectivity
    :maxdepth: 2
 
    https-access-overview
+   utility-script-to-display-certificates
    starlingx-rest-api-applications-and-the-web-administration-server
    kubernetes-root-ca-certificate
    security-install-update-the-docker-registry-certificate
diff --git a/doc/source/security/kubernetes/utility-script-to-display-certificates.rst b/doc/source/security/kubernetes/utility-script-to-display-certificates.rst
new file mode 100644
index 000000000..9ee6115e7
--- /dev/null
+++ b/doc/source/security/kubernetes/utility-script-to-display-certificates.rst
@@ -0,0 +1,78 @@
+
+
+.. _utility-script-to-display-certificates:
+
+------------------------------------------
+Display Certificates Installed on a System
+------------------------------------------
+
+The utility script **show-certs.sh** can be used to display an overview of the
+various certificates that exist in the system along with their expiry date.
+
+The :command:`show-certs.sh` command has the following options:
+
+**sudo show-certs.sh [-k] [-e <number-of-days>] [-h]**
+
+where:
+
+By default, :command:`show-certs.sh` command displays the platform-managed
+system certificates, and (highlighted in red) certificates requiring manual
+renewal, and certificates expiring within 90 days.
+
+options:
+
+-k  displays certificates found in any Kubernetes SECRETS;
+    this may include platform certificates and end-users' certificates
+
+-e  <number-of-days> changes to highlight (in red) certificates within
+    <number-of-days> of expiry
+
+-h  displays help
+
+For example:
+
+.. code-block:: none
+
+    ~(keystone_admin)]$ sudo show-certs.sh
+
+    registry.local  CERTIFICATE:
+    -----------------------------------------------------
+    Renewal 	    :  Manual
+    Filename	    :  /etc/ssl/private/registry-cert.crt
+    Subject         :  /CN=registry.local
+    Issuer          :  /CN=registry.local
+    Issue Date	    :  Aug 31 01:43:09 2021 GMT
+    Expiry Date	    :  Aug 31 01:43:09 2022 GMT
+    Residual Time   :  341d
+    -----------------------------------------------------
+
+For scalability in a Distributed cloud system, the Subcloud ICA certificates
+are redirected to a file. The script displays the path to the file with a note
+at the end of the output file.
+
+.. code-block:: none
+
+    Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
+    /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
+    size of the output.
+
+For example,
+
+.. code-block:: none
+
+    ~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
+
+    Renewal                              Namespace  Secret		             Residual Time
+    ---------------------------------------------------------------------------------------
+    Automatic [Managed by Cert-Manager]   dc-cert   subcloud1-adminep-ca-certificate   364d
+    Automatic [Managed by Cert-Manager]   dc-cert   subcloud10-adminep-ca-certificate  364d
+    Automatic [Managed by Cert-Manager]   dc-cert   subcloud100-adminep-ca-certificate 364d
+    ---------------------------------------------------------------------------------------
+
+
+
+
+
+
+
+