$ cat server_cert.pem int2ca_cert.pem int1ca_cert.pem rootca_cert.pem>combined_cert.pem
The default API server certificate is issued by an internal OpenShift Container Platform cluster CA. Clients outside of the cluster will not be able to verify the API server’s certificate by default. This certificate can be replaced by one that is issued by a CA that clients trust.
The default API server certificate is issued by an internal OpenShift Container Platform cluster CA. You can add additional certificates to the API server to send based on the client’s requested URL, such as when a reverse proxy or load balancer is used.
You must have the certificate and key, in the PEM format, for the client’s URL.
The certificate must be issued for the URL used by the client to reach the API server.
The certificate must have the subjectAltName
extension for the URL.
If a certificate chain is required to certify the server certificate, then the certificate chain must be appended to the server certificate. certificate files must be Base64 PEM-encoded and typically have a .crt
or .pem
extension. For example:
$ cat server_cert.pem int2ca_cert.pem int1ca_cert.pem rootca_cert.pem>combined_cert.pem
When combining certificates, the order of the certificates is important. Each following certificate must directly certify the certificate preceding it, for example:
OpenShift Container Platform master host server certificate.
Intermediate CA certificate that certifies the server certificate.
Root CA certificate that certifies the intermediate CA certificate.
Do not provide a named certificate for the internal load balancer (host
name |
Create a secret that contains the certificate and key in the
openshift-config
namespace.
$ oc create secret tls <certificate> \(1) --cert=</path/to/cert.crt> \(2) --key=</path/to/cert.key> \(3) -n openshift-config
1 | <certificate> is the name of the secret that will contain
the certificate. |
2 | </path/to/cert.crt> is the path to the certificate on your
local file system. |
3 | </path/to/cert.key> is the path to the private key associated
with this certificate. |
Update the API server to reference the created secret.
$ oc patch apiserver cluster \ --type=merge -p \ '{"spec":{"servingCerts": {"namedcertificates": [{"names": ["<hostname>"], (1) "servingcertificate": {"name": "<certificate>"}}]}}}' (2)
1 | Replace <hostname> with the hostname that the API server
should provide the certificate for. |
2 | Replace <certificate> with the name used for the secret in
the previous step. |
Examine the apiserver/cluster
object and confirm the secret is now
referenced.
$ oc get apiserver cluster -o yaml ... spec: servingCerts: namedcertificates: - names: - <hostname> servingcertificate: name: <certificate> ...