starlingx/docs
Code Issues Proposed changes
df365480a3
docs/doc/source/security/kubernetes/utility-script-to-display-certificates.rst
Elisamara Aoki Goncalves 4d8775ca61 Updates on Certificate Management (pick) 
Removed rst substitution from tables and inline markups.

Updated table and reestructured sections in the overview.

Fixed issues, reworded paragraphs, changed titles.

Deleted unnecessary sections, added a new item to section and fixed editorial issues.

Fixed editorial and formatting issues.

Fixed more editorial and formatting issues.

Fixed formatting and editorial issues.

Added command line.

Fixed command line.

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I69874db16c76d5aceac706f2b8033771780500ca
2021-11-09 17:54:11 -03:00

2.4 KiB
Raw Blame History

Display Certificates Installed on a System

The utility script show-certs.sh can be used to display an overview of the various certificates that exist in the system along with their expiry date.

The show-certs.sh command has the following options:

sudo show-certs.sh [-k] [-e <number-of-days>] [-h]

where:

By default, show-certs.sh command displays the platform-managed system certificates, and (highlighted in red) certificates requiring manual renewal, and certificates expiring within 90 days.

options:

-k displays certificates found in any Kubernetes SECRETS;

this may include platform certificates and end-users' certificates

-e <number-of-days> changes to highlight (in red) certificates within

<number-of-days> of expiry

-h displays help

For example:

~(keystone_admin)]$ sudo show-certs.sh

registry.local  CERTIFICATE:
-----------------------------------------------------
Renewal         :  Manual
Filename        :  /etc/ssl/private/registry-cert.crt
Subject         :  /CN=registry.local
Issuer          :  /CN=registry.local
Issue Date      :  Aug 31 01:43:09 2021 GMT
Expiry Date     :  Aug 31 01:43:09 2022 GMT
Residual Time   :  341d
-----------------------------------------------------

For scalability in a Distributed cloud system, the Subcloud ICA certificates are redirected to a file. The script displays the path to the file with a note at the end of the displayed output.

Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
size of the output.

For example,

~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt

Renewal                              Namespace  Secret                   Residual Time
---------------------------------------------------------------------------------------
Automatic [Managed by Cert-Manager]   dc-cert   subcloud1-adminep-ca-certificate   364d
Automatic [Managed by Cert-Manager]   dc-cert   subcloud10-adminep-ca-certificate  364d
Automatic [Managed by Cert-Manager]   dc-cert   subcloud100-adminep-ca-certificate 364d
---------------------------------------------------------------------------------------