How to Use OpenSSL to Check Secret Certificate Information in OpenShift

Resolution

In OpenShift, Certificates usually stored as secrets. It's possible to use openssl combined with oc commands to inspect the content of these certificates directly from the command line.

• View Certificate Details:
  To view the details of a certificate stored in a secret:

  oc get secret [SECRET_NAME] -o jsonpath='{.data.[CERT_KEY]}' | base64 --decode | openssl x509 -inform PEM -text -noout -
  

  Replace [SECRET_NAME] with the name of your secret and [CERT_KEY] with the key under which the certificate is stored, e.g., ca.crt.

• Check Certificate Expiry Date:
  To view the expiry date of a certificate:

  oc get secret [SECRET_NAME] -o jsonpath='{.data.[CERT_KEY]}' | base64 --decode | openssl x509 -inform PEM -noout -enddate -
  

• Verify Certificate's Signature:
  If you have the root certificate or the certificate of the issuer, you can verify the signature of the certificate in the secret:

  oc get secret [SECRET_NAME] -o jsonpath='{.data.[CERT_KEY]}' | base64 --decode | openssl x509 -inform PEM -noout -verify -CAfile /path/to/root_or_issuer.crt -
  

• Check Private Key Information:
  If you have a private key stored in a secret and want to inspect its details:

  oc get secret [SECRET_NAME] -o jsonpath='{.data.[KEY_NAME]}' | base64 --decode | openssl rsa -inform PEM -text -noout -
  

  Replace [KEY_NAME] with the key under which the private key is stored, e.g., tls.key.

• Check if Certificate and Private Key Match:
  Sometimes, you might want to ensure that a certificate and private key in a secret match:

  oc get secret [SECRET_NAME] -o jsonpath='{.data.[CERT_KEY]}' | base64 --decode > cert.pem
  oc get secret [SECRET_NAME] -o jsonpath='{.data.[KEY_NAME]}' | base64 --decode > key.pem
  openssl x509 -noout -modulus -in cert.pem | openssl md5
  openssl rsa -noout -modulus -in key.pem | openssl md5
  

  The MD5 hashes produced by the last two commands should match if the certificate and private key are a pair.