How to extract and check the Cloud Pak for Security TLS certificates within the "isc-ingress-default-secret"

How To

Summary

The Cloud Pak for Security domain is provided at installation time and requires a TLS certificate to allow access to the Cloud Pak for Security web console. If a Cloud Pak for Security platform is not installed on one of the following environments, then a unique FQDN for the Cloud Pak for Security platform must be created.

Objective

How to:

Display the certificate from within the secret to the console in text format.
Extract from secret the certificate file and key for the Cloud Pak for Security domain.

Environment

IBM Cloud®
Amazon Web Services (AWS)
Microsoft Azure

VMware (VSphere)

Required:

Red Hat OpenShift CLI command-line tool
OpenSSL tool

Steps

Option 1: Display the certificate from within the secret to the console in text format

Display the name of the keys in the secret:

oc describe secret isc-ingress-default-secret -n YOUR-CP4S-NAMESPACE-HERE

NOTE: Replace YOUR-CP4S-NAMESPACE-HERE with the namespace your Cloud Pak for Security is under.
EXAMPLE OUTPUT:

Name:         isc-ingress-default-secret
Namespace:    cp4s
Labels:       app.kubernetes.io/instance=isc-ingress-default-secret
              app.kubernetes.io/managed-by=ibm-security-solutions-prod
              app.kubernetes.io/name=isc-ingress-default-secret
Annotations:  <none>
Type:  kubernetes.io/tls
Data
====
tls.crt:  4320 bytes
tls.key:  1678 bytes

In this example of the console output, the keys in the secret are tls.crt and tls.key.

Display the contents of the certificate within the secret:

oc extract secret/isc-ingress-default-secret -n YOUR-CP4S-NAMESPACE-HERE --keys tls.crt --to - | openssl x509 -noout -text

NOTE: the --keys option of the command refers to the tls.crt key.
EXAMPLE OUTPUT:

# tls.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = AT, O = CertIssuerCo, CN = CertsIssuerCoRSA Domain Secure Site CA
        Validity
            Not Before: Oct 30 00:00:00 2021 GMT
            Not After : Jan 28 23:59:59 2023 GMT
        Subject: CN = your.cp4s-domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    01:01:01:01:01:01:01:01:01:01:01:01:01:01:01:01:01:01:01

Option 2: Extract the certificate and key from the secret

Extract the keys in the secret to files to the current present working directory.
```
oc extract secret/isc-ingress-default-secret -n YOUR-CP4S-NAMESPACE-HERE
```
NOTE: Replace YOUR-CP4S-NAMESPACE-HERE with the namespace your Cloud Pak for Security is under.
Files are created with names tls.crt and tls.key
NOTE: Extracting the keys from the secret creates files of the same name.

Related Information

Domain name and TLS certificates

Updating your Cloud Pak for Security TLS certificates

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001js1AAA","label":"Openshift"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.7.2;and future releases"}]

Tips