Unknown issuer of SSL certificate signed using CertificateSigningRequest

Posted on

I'm having a problem that all SSL certificates generated by kubernetes using CertificateSigningRequest are signed with unknown issuer - issuer does not exist in any of kubernetes certificates (none of CA that exists in secrets in default-token which is mounted to Pod under /run/secrets/kubernetes.io/serviceaccount/ path).

Issuer which signed my SSL certificate is not present in any of secrets (Issuer: CN = kube-csr-signer_@1581572617). While CA contains following issuers:

        Subject: CN=ingress-operator@1581504807
        Subject: CN=openshift-cluster-monitoring@1581505033
        Subject: CN=openshift-kube-apiserver-operator_localhost-recovery-serving-signer@1581504437
        Subject: OU=openshift, CN=kube-apiserver-lb-signer
        Subject: OU=openshift, CN=kube-apiserver-localhost-signer
        Subject: OU=openshift, CN=kube-apiserver-service-network-signer

Where may I find ca.crt with issuer or is this method valid for obtaining certificates for Openshift Platform.

P.S. Under bare kubernetes platform everything works properly so it must be Openshift specific problem.

Openshift Version: 4.3

Responses