SupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 8. Managing certificates

Over the lifetime of a OpenShift Container Platform cluster, certificates will enter various phases of their lifecycle. The following procedures describe how to manage various parts of that lifecycle.

See Redeploying certificates for information on viewing certificate expirations and redeploying certificates.

8.1. Changing an application’s self-signed certificate to CA-signed certificate

Some application templates create a self-signed certificate that is then directly presented by the application to clients. As an example, by default and as part of the OpenShift Container Platform Ansible installer deployment process, the metrics deployer creates self-signed certificates.

These self-signed certificates are not recognized by browsers. To mitigate this issue, use a publicly signed certificate, then configure it to re-encrypt traffic with the self-signed certificate.

  1. Delete the existing route: 

    $ oc delete route hawkular-metrics -n openshift-infra

    With the route deleted, the certificates that will be used in the new route with the re-encrypt strategy must be assembled from the existing wildcard and self-signed certificates created by the metrics deployer. The following certificates must be available:

    • Wildcard CA certificate
    • Wildcard private key
    • Wildcard certificate

    • Hawkular CA certificate

      Each certificate must be available as a file on the file system for the new route.

      You can retrieve the Hawkular CA and store it in a file by executing the following command: 

      $ oc get secrets hawkular-metrics-certs \
    -n openshift-infra \
    -o jsonpath='{.data.ca\.crt}' | base64 \
    -d > hawkular-internal-ca.crt
  2. Locate the wildcard private key, certificate, and CA certificate. Place each into a separate file, such as wildcard.key, wildcard.crt, and wildcard.ca.

  3. Create the new re-encrypt route: 

    $ oc create route reencrypt hawkular-metrics-reencrypt \
    -n openshift-infra \
    --hostname hawkular-metrics.ocp.example.com \
    --key wildcard.key \
    --cert wildcard.crt \
    --ca-cert wildcard.ca \
    --service hawkular-metrics \
    --dest-ca-cert hawkular-internal-ca.crt
Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.