36eb508cf7
Security Guide Reference - Updating the Display Certificates Installed on a System section to show that: - the primary way to display certificates is with the api/cli, system certificate-list/show - the alternate (but deprecated) way is with show-certs.sh Change-Id: I0facb8dd5ec3e82b6b2bb0bead4c2aaf1689d5d5 Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
11 KiB
Display Certificates Installed on a System
The system certificate-list command
The system certificate-list command can be used to list
the platform certificates present on the system with details such as
expiry date, residual time, subject, issuer and renewal behaviour
(manual or automatic).
The system certificate-list command has the following
options:
system certificate-list --expiredlists the expired certificates.system certificate-list --soon_to_expiry <N>lists the certificates expiring in given <N> days.
For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-list
+------------------------------------------------------------+
admin_conf_client
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 03 09:26:57 2024
Expiry Date : June 07 12:17:19 2025
Issuer : CN=starlingx
Subject : CN=kubernetes-admin,O=system:masters
Renewal : Automatic
File Path : /etc/kubernetes/admin.conf
+------------------------------------------------------------+
apiserver
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 03 09:26:57 2024
Expiry Date : June 07 12:17:17 2025
Issuer : CN=starlingx
Subject : CN=kube-apiserver
Renewal : Automatic
File Path : /etc/kubernetes/pki/apiserver.crt
+------------------------------------------------------------+
..etcThe command system k8s-certificate-list can be used to
list all k8s tls/opaque type certificates present on the system with
details such as expiry date, residual time, subject, issuer and renewal
behaviour (manual or automatic).
The system k8s-certificate-list command has the
following options:
system k8s-certificate-list --expiredlists the expired certificates.system k8s-certificate-list --soon_to_expiry <N>lists the certificates expiring in given <N> days.
For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-list
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/ca.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 07 12:22:41 2024
Expiry Date : June 07 12:22:41 2025
Issuer : CN=cert-manager-webhook-ca
Subject : CN=cert-manager-webhook-ca
Namespace : cert-manager
Secret : cm-cert-manager-webhook-ca
Renewal : Automatic
Secret Type : Opaque
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/tls.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 07 12:22:41 2024
Expiry Date : June 07 12:22:41 2025
Issuer : CN=cert-manager-webhook-ca
Subject : CN=cert-manager-webhook-ca
Namespace : cert-manager
Secret : cm-cert-manager-webhook-ca
Renewal : Automatic
Secret Type : Opaque
+------------------------------------------------------------+
..etcThe command
system certificate-show <certificate name> shows the
full details of the certificate, the certificate name can be picked from
system certificate-list output.
For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-show system-restapi-gui-certificate
Certificate:
Residual Time: 84d
Version: v3
Serial Number: 0xf6de1076c4f523ae530b39730c61a769
Issuer: CN=starlingx
Validity:
Not Before: June 07 12:25:25 2024
Not After: September 05 12:25:25 2024
Subject: CN=system-restapi-gui,O=starlingx,L=78269f12243d4b19b1bf5687e2359c5a
Subject Public Key Info:
key_size: (2048 bit)
X509v3 extensions:
X509v3 Key Usage:
values: Digital Signature, Key Encipherment
critical: True
X509v3 Basic Constraints:
CA: False
critical: True
X509v3 Authority Key Identifier:
keyid: a783e3e1c720c9b5dc2537b07f90a49b0ecdf744
X509v3 Subject Alternative Name:
DNS: ['78269f12243d4b19b1bf5687e2359c5a.starlingx.local']
IP Address: ['10.10.10.12']
Signature Algorithm: sha256WithRSAEncryption
Signature: 02ac2fe1e454ff0116fff400f24bb1845872b84d44ff47a40e3989d2085e0e306c903a1290f8f3bddf2cb320d5387ce64e4b50d8b3269ab70d6dbb760ecbd566f0fbf644c24f258cce4e0f1987e3636fe88a00ce99b416b47a372b28424367ceef9b04d52b279be2305070c6a92c848de6f50dd046876475c1604fdf630e72f47aba051b30983cf046b69f7c7ddb5fe396cf41955d40bc263640e2d85bba5a10602a7962c69397e30a3ebf6080df6aea2fa4ce380aa413ed89b96f3b3f3d54ee8ddaa477f5d41fd3d2f55231ebc35e76ae9f65db39e24fa07d0c2d7b4f5588daa8da92ff3fd03a240a7e7a70e31d619a1a659c709ed293451e111a316703264cf80a023acb0aa7790828c1508cf88aabf2c02b097d5f7afb077a7759b85a204bfc672c33bcbc07b6a16fc6f756721de043917e7a9de6ca38f99d421232a3302f03b762c3a9847d0a2aa25af47b39b2eca469c5f309a99931234551b7c29f9e119215970e30bb55ad4263f4745751fb927fb98c3c463a2f403686c90a6cac6db2f681e3e5c6951f43da1db8b7b2d9121a3bd49429ddbb72740a1f1a108e62e8add857f344d60cadfc47abf1343f166d33d7083331913538d2881dbd9216763427722e9db4f10cc9952fc5d2f0998e4453925d9b84f3c2394c825eeb1bb8c63948bb2bb8c27165f81f585a4d023d139a8413c235dd8d4cd8cae418f9764c66ad0e
File Path: /etc/ssl/private/server-cert.pem
Renewal: Automatic
Namespace: deployment
Secret: system-restapi-gui-certificateThe command
system k8s-certificate-show <certficate name> shows
the full details of the k8s certificate, the certificate name can be
picked from system k8s-certificate-list output.
For example:
[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-show system-local-ca
Certificate:
Residual Time: 3640d
Version: v3
Serial Number: 0x3cb901b2b670bf0996d2c4f52c6d809e061d03d4
Issuer: CN=starlingx
Validity:
Not Before: June 03 09:26:57 2024
Not After: June 01 09:26:57 2034
Subject: CN=starlingx
Subject Public Key Info:
key_size: (4096 bit)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: ['starlingx']
X509v3 Key Usage:
values: Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA: True
critical: True
Signature Algorithm: sha256WithRSAEncryption
Signature: af88723bb84c1f5b9ebe62e257564990be3b379e156e1c45203cbf10c05c09e03325b2f59c752a61a3289f32b2dbcc580bba16e13bc02137ff18b27c1f6e7ccc2a9e7243dcfaf7ea16ae0764fd30f915d95b428248be5bdcc4a9a8972d538ce2314e29339759b06f739ef06941af54450fc830aef5be9dd214962959aefc6b6dc22dba2ce2f87b5c763817c9d33bcf2c189e59fc7abad455aef3ad18525d9f8f47938b8d47056bcb513d414fe2f7713b6b8ee37e8999ea48c2529043ec7871fa079d7374b894a5410090c5fe8ad3e08b7b3649cac550b9ce732ec0e0739ac3de4c1eca8d83d3c44bf30841a1a469d5bfba5743f5f1d5260e73057027d4c5ad97a955d8a55f72733c941a30402f92454be97725acabba199a92a723a44aa1f32c86e274944641b5665f4d09ecae46d2d8b6ac100e690d763b1172406e9e3db0f6f3070fa66af43de449b4a1e4c34b2e3329c878138b2078c22facb940ade27372d17354f35dabf406ec7925dba4e60c49139fa99e6f4386eb245c3be5827dd6fea4988bdb11bb684da4d5584a87b7a479cded665de87f8b479fb81430f3bb6443e54051f477465343e1e3c77bb590ee6d87ce5b7f39bf417e047f7acc3ac7aff5e389b317bf0ef79c87f37fe951c06bc431afb450c69be8761b90fca5b46d936a521b728320f6073a9811334581ca977b7f75f7c5b02db5091edd220b77060273
Namespace: cert-manager
Secret: system-local-ca
Renewal: Manual
Secret Type: kubernetes.io/tlsThe show-certs.sh script
Note
This script is deprecated and no longer maintained.
The show-certs.sh script is an alternative way that can
be used to display a list of the specific certificates present on a
system with details such as expiry date, residual time, subject, issuer
and renewal behaviour (manual or automatic).
The show-certs.sh command has the following
options:
sudo show-certs.sh [-k] [-e <number-of-days>] [-h]
where:
By default, show-certs.sh command displays the
platform-managed system certificates, and (highlighted in red)
certificates requiring manual renewal, and certificates expiring within
90 days.
options:
-k displays certificates found in any Kubernetes
SECRETS; this may include platform certificates and end-users'
certificates.
-e <number-of-days>. Changes to highlight (in red)
certificates within <number-of-days> of expiry.
-h displays help
Note
This command can only be run locally on the active controller, in an SSH shell.
For example:
~(keystone_admin)]$ sudo show-certs.sh
registry.local CERTIFICATE:
-----------------------------------------------------
Renewal : Manual
Filename : /etc/ssl/private/registry-cert.crt
Subject : /CN=registry.local
Issuer : /CN=registry.local
Issue Date : Aug 31 01:43:09 2021 GMT
Expiry Date : Aug 31 01:43:09 2022 GMT
Residual Time : 341d
-----------------------------------------------------
local-openldap / deployment / system-openldap-local-certificate CERTIFICATE:
------------------------------------------
Renewal : Automatic [Managed by Cert-Manager]
Namespace : deployment
Secret : system-openldap-local-certificate
Subject : CN = system-openldap
Issuer : CN = starlingx
Issue Date : Jul 6 16:15:30 2023 GMT
Expiry Date : Oct 4 16:15:30 2023 GMT
Residual Time : 89d
… etcFor scalability reasons, in a Distributed cloud system, the Subcloud ICA certificates that are present on a SystemController are redirected to a file. The script displays the path to the file with a note at the end of the displayed output.
Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
size of the output.For example,
~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
Renewal Namespace Secret Residual Time
---------------------------------------------------------------------------------------
Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d
Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
---------------------------------------------------------------------------------------