Using OpenShift 4 As A Certificates CA

Why this Article

Today the very basic of securing your application is running it with a TLS encryption. When running the application on top of OpenShift we can utilized the Kubernetes Abilities and sign the application certificate when the CA is already part of OpenShift.

In OpenShift the CA certificate are being recycled as well so we do need to make sure that all the certificates are up 2 date.

What do we need ?

Openshift, That is it…. well almost we do need to create the CSR and the KEY. For that we need to create an answer file and use openssl to generate the 2 files.

Getting Started

The steps for generating the Certificate are simple. First we will generate the key and the the answer file for the CSR followed by the CSR. Once the two files are obtained we will create the “CertificateSigningRequest” resource and sign the certificate.

First (as root) let’s make sure the package is installed on the server :

# dnf install -y openssl

Now we can generate the key first .

$ openssl genrsa -out tls.key 2048

Next we can do one of 2 options. Create an answer file that will provide answers to the certificate request (suitable for DNS alternate names). and the other option is to generate the CSR in one liner.

the common name has a string limit in regards to the FQDN we need to input. As such if we have a long FQDN string we will not be able to get it generated without DNS alter names.

to generate the answer file I will first export our URL short name (the first part of the FQDN) and then the domain with environment variables :

# export DOMAIN="<>"
# export SHORT_NAME="<the name>"

Once both variables are set we can generate the answer file :

$ cat > ${SHORT_NAME}_answer.txt << EOF
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = req_ext
req_extensions = req_ext
distinguished_name = dn
[ dn ]
ST=New York
L=New York
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]

In the DN section you can go ahead and change any parameter you want (except for the CN)

Next we can generate the CSR with the answer file :

# openssl req -new -key tls.key -out tls.csr -config <( cat ${SHORT_NAME}_answer.txt )

We will first export our URL short name (the first part of the FQDN) and then the domain with environment variables :

# export DOMAIN="<>"
# export SHORT_NAME="<the name>"

For short name in the CN we can simple create a one liner CN :

# openssl req -new -key tls.key -out tls.csr -subj "/CN=${SHORT_NAME}.${DOMAIN}/O=devops/O=My Org/C=US/ST=New York/L=New York"  -addext "subjectAltName = DNS:${SHORT_NAME},DNS:${SHORT_NAME}.${DOMAIN}"

(From the Official Kubernetes page) : “The CertificateSigningRequest resource type allows a client to ask for an X.509 certificate be issued, based on a signing request. The CertificateSigningRequest object includes a PEM-encoded PKCS#10 signing request in the spec.request field. The CertificateSigningRequest denotes the signer (the recipient that the request is being made to) using the spec.signerName field. Note that spec.signerName is a required key after API version In Kubernetes v1.22 and later, clients may optionally set the spec.expirationSeconds field to request a particular lifetime for the issued certificate. The minimum valid value for this field is 600, i.e. ten minutes.”

In order to sign our certificate we first need to generate a base64 string from it and add it to the CertificateSigningRequest CR.

# CERT_BASE64=$(cat tls.csr | base64 -w0) 

Now let’s create the CR :

# cat > tls-csr.yaml << EOF
kind: CertificateSigningRequest
name: ${SHORT_NAME}
request: ${CERT_BASE64}
expirationSeconds: 7776000 # three months
- client auth

Some points to note:

  • usages has to be 'client auth'
  • expirationSeconds could be made longer (i.e. 15552000 for half a year ) or shorter (i.e. 3600 for one hour)
  • request is the base64 encoded value of the CSR file content.

And Apply it :

# oc apply -f tls-csr.yaml

we can now view the certificate request (if we have the right permissions by running the “oc get csr” command :

# oc get csr
my-cert 17s system:admin Pending

As we can see the certificate status is “Pending” which is waiting for the admin (or user with the right permission) to approve the certificate.

Let’s go ahead and approve the certificate :

# oc adm certificate approve my-cert approved

Now, if we look at the CSR request we are going to see the certificates again but the state has changed :

# oc get csr
my-cert 2m51s system:admin Approved,Issued

Now that our certificate has been generated we can go ahead and extract it. sense the certificate is been saved as base64 we will need to decode the output

# oc get csr my-cert -o jsonpath='{.status.certificate}' | base64 -d

The output should look as such :


If you are getting the same results we are good to go.

For the last part we need to extract our CA certificate which OpenShift had used to sign the certificate. On Openshift there is a simple config map which contains all of the necessary CAs :

# oc get secret csr-signer -n openshift-kube-controller-manager-operator -o template='{{ index .data "tls.crt"}}' | base64 -d > route-ca.crt

Now we have everything we need in place and we go ahead and use the certificate.

That is it

If you have any question feel free to respond/ leave a comment.
You can find on linkedin at :
Or twitter at :




Open Source contributer for the past 15 years

Love podcasts or audiobooks? Learn on the go with our new app.

Python Pip & Virtual Environment Story

I made a useful application in Python to check Google search rankings

Is It Beneficial For Businesses To Invest in Android App Development?

Android App Development

[6] [ProjectX] — Using AWS API Gateway with AWS Lambda

Have a Cloud Transition you can be Proud Of

(PDF) Expert Oracle Database Architecture

Force SSL Certificate/HTTPS using .htaccess

Kubernetes, it’s everywhere!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Oren Oichman

Oren Oichman

Open Source contributer for the past 15 years

More from Medium

Minimize Impact in Kubernetes Using Argo Rollouts

Db2 on Kubernetes

OPA to Integrate with Kubernetes Admission Control → Ingresses: Restrict Hostnames

Kubernetes Events : Introduction and Filtering