starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/utility-script-to-display-certificates.rst
Juanita-Balaraj 1b2c274e17 Added new topic with Utility script added to display certificates installed on a system 
updated Patchset 5 comments
Updated Patchset 4 comments
Updated Patchset 1 comments
Story: https://storyboard.openstack.org/#!/story/2009190
Task:  43396

Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
Change-Id: I82bcb12060cfa0c0d4ed26b352d4d5391f66aa91
Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
2021-09-27 17:10:56 -04:00

2.4 KiB
Raw Blame History

Display Certificates Installed on a System

The utility script show-certs.sh can be used to display an overview of the various certificates that exist in the system along with their expiry date.

The show-certs.sh command has the following options:

sudo show-certs.sh [-k] [-e <number-of-days>] [-h]

where:

By default, show-certs.sh command displays the platform-managed system certificates, and (highlighted in red) certificates requiring manual renewal, and certificates expiring within 90 days.

options:

-k displays certificates found in any Kubernetes SECRETS;

this may include platform certificates and end-users' certificates

-e <number-of-days> changes to highlight (in red) certificates within

<number-of-days> of expiry

-h displays help

For example:

~(keystone_admin)]$ sudo show-certs.sh

registry.local  CERTIFICATE:
-----------------------------------------------------
Renewal         :  Manual
Filename        :  /etc/ssl/private/registry-cert.crt
Subject         :  /CN=registry.local
Issuer          :  /CN=registry.local
Issue Date      :  Aug 31 01:43:09 2021 GMT
Expiry Date     :  Aug 31 01:43:09 2022 GMT
Residual Time   :  341d
-----------------------------------------------------

For scalability in a Distributed cloud system, the Subcloud ICA certificates are redirected to a file. The script displays the path to the file with a note at the end of the output file.

Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
size of the output.

For example,

~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt

Renewal                              Namespace  Secret                   Residual Time
---------------------------------------------------------------------------------------
Automatic [Managed by Cert-Manager]   dc-cert   subcloud1-adminep-ca-certificate   364d
Automatic [Managed by Cert-Manager]   dc-cert   subcloud10-adminep-ca-certificate  364d
Automatic [Managed by Cert-Manager]   dc-cert   subcloud100-adminep-ca-certificate 364d
---------------------------------------------------------------------------------------