K8s: Examine tls secrets - Mon, Apr 29, 2024
K8s: Examine tls secrets
I have recently been working on provisioning certificates for ingresses using cert-manager and the ACME protocol . The certificates cert-manager creates are stored in kubernetes secrets of type kubernetes.io/tls . The format is always the same:
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0...
tls.key: LS0tLS1CRUdJTiBTSU0EgUFJJVkFURS...
...
The crt contains the certificate and the tls node the server key. When troubleshooting problems with these
certificates I frequently needed to look at the certificate details (like issuer or validity period). In order
to do so not only did I need to decode the crt value, but I also needed to pass it to openssl
for getting the
certificates details.
Here is the command that does this trick:
kubectl get secrets -n <namespace> <secret_name> -o jsonpath={.data.tls\\.crt} | base64 -d | openssl x509 -noout -text
First the crt is extracted from the secret, then decoded and passed to openssl to print the details.
The output of the openssl command is very lengthy and looks something like this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
14:44:89:4f:fd:69:03:1f:a1:7d:2f:5b:32:d9:77:9z
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, O=MY-Organisation, CN=My-CA-Name
Validity
Not Before: Apr 29 05:39:57 2024 GMT
Not After : May 4 23:59:59 2025 GMT
Subject: CN=eample.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)