Added new topic with Utility script added to display certificates installed on a system
updated Patchset 5 comments Updated Patchset 4 comments Updated Patchset 1 comments Story: https://storyboard.openstack.org/#!/story/2009190 Task: 43396 Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I82bcb12060cfa0c0d4ed26b352d4d5391f66aa91 Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
This commit is contained in:
Juanita-Balaraj
parent
86e1b981ce
commit
1b2c274e17
doc/source/security/kubernetes
@ -99,6 +99,7 @@ Secure HTTPS Connectivity
|
||||
:maxdepth: 2
|
||||
|
||||
https-access-overview
|
||||
utility-script-to-display-certificates
|
||||
starlingx-rest-api-applications-and-the-web-administration-server
|
||||
kubernetes-root-ca-certificate
|
||||
security-install-update-the-docker-registry-certificate
|
||||
|
||||
@ -0,0 +1,78 @@
|
||||
|
||||
|
||||
.. _utility-script-to-display-certificates:
|
||||
|
||||
------------------------------------------
|
||||
Display Certificates Installed on a System
|
||||
------------------------------------------
|
||||
|
||||
The utility script **show-certs.sh** can be used to display an overview of the
|
||||
various certificates that exist in the system along with their expiry date.
|
||||
|
||||
The :command:`show-certs.sh` command has the following options:
|
||||
|
||||
**sudo show-certs.sh [-k] [-e <number-of-days>] [-h]**
|
||||
|
||||
where:
|
||||
|
||||
By default, :command:`show-certs.sh` command displays the platform-managed
|
||||
system certificates, and (highlighted in red) certificates requiring manual
|
||||
renewal, and certificates expiring within 90 days.
|
||||
|
||||
options:
|
||||
|
||||
-k displays certificates found in any Kubernetes SECRETS;
|
||||
this may include platform certificates and end-users' certificates
|
||||
|
||||
-e <number-of-days> changes to highlight (in red) certificates within
|
||||
<number-of-days> of expiry
|
||||
|
||||
-h displays help
|
||||
|
||||
For example:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
~(keystone_admin)]$ sudo show-certs.sh
|
||||
|
||||
registry.local CERTIFICATE:
|
||||
-----------------------------------------------------
|
||||
Renewal : Manual
|
||||
Filename : /etc/ssl/private/registry-cert.crt
|
||||
Subject : /CN=registry.local
|
||||
Issuer : /CN=registry.local
|
||||
Issue Date : Aug 31 01:43:09 2021 GMT
|
||||
Expiry Date : Aug 31 01:43:09 2022 GMT
|
||||
Residual Time : 341d
|
||||
-----------------------------------------------------
|
||||
|
||||
For scalability in a Distributed cloud system, the Subcloud ICA certificates
|
||||
are redirected to a file. The script displays the path to the file with a note
|
||||
at the end of the output file.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
Subcloud ICA certificates (*-adminep-ca-certificate) are saved to
|
||||
/tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt in order to limit the
|
||||
size of the output.
|
||||
|
||||
For example,
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
~(keystone_admin)]$ cat /tmp/subcloud-icas-tls-secrets.HqZSBQoUUJ.txt
|
||||
|
||||
Renewal Namespace Secret Residual Time
|
||||
---------------------------------------------------------------------------------------
|
||||
Automatic [Managed by Cert-Manager] dc-cert subcloud1-adminep-ca-certificate 364d
|
||||
Automatic [Managed by Cert-Manager] dc-cert subcloud10-adminep-ca-certificate 364d
|
||||
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
|
||||
---------------------------------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user