OCP4 Tips P.02/Change API Cert

Hello Everyone, this is our second article in Openshift Tips and Tricks Series, In the first article we talked about how we can change the default ingress cert with a new one signed by our company CA, and using the default which use internal self signed CA, If you didn't read it yet, you can read it from below link

lets start by just a recap of what we said before about Openshift,

1- Openshift use by default internal Self signed CA, 2- Ingress Routes Certificates are all by default issued by that internal CA, 3- Also same with API Certificates it is issued by same Internal CA

So our goal today is considered similar as before, change the default API certificate to be issued and signed by our company CA

Now after we identified the goals for today , Lets start the detailed steps

1- we need to create private key

openssl genrsa -out openshift-api.key 2048        

2- create CSR(certificate sign request) config file, replace the CN , DNS.1 with your API also replace the IP.1 with IP of your API

cat openshift-api-csr.conf 

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn


[ dn ]
C = EG
L = Cairo
O = Cairo
OU = IT_Infra
CN = api.ocp4.example.com


[ req_ext ]
subjectAltName = @alt_names


[ alt_names ]
DNS.1 = api.ocp4.example.com
IP.1 = 192.168.1.2
        

3- create the CSR

openssl req -new -key openshift-api.key -config openshift-api-csr.conf -out openshift-api.csr        

4- send the CSR to the team responsible for create and sign new certificates in your organization

5- make sure to have not only your CRT but also the Root CRT and any other Intermediate CRT and all of that in PEM format

lets say they sent to you below CRT files

• openshift-ingress.crt
• rootCA.crt
• intermeditaCA.crt

6- check your certificate type and how it was signed, please read number 6 in last article

7- we now are going to create the Certificate Chain file, certificate chain are created in backward , which means we will put?API then Intermediate and finally the Root?, if we don't have Intermediate then it will be like that?API and Root

cat openShift-api.crt IntermediateCA.crt RootCA.crt >> openshift-api-cert-chain.crt

        

8- check you create the chain file ordered correctly

> openssl storeutl -noout -text -certs openshift-api-cert-chain.crt? | grep -E -i 'subject:|issuer:
? ? ? ? Issuer: DC=COM, DC=Example, CN=IntermediateCA
? ? ? ? Subject: C=EG, L=Cairo, O=Cairo, OU=IT_Infra, CN=api.ocp4.example.com
? ? ? ? Issuer: CN=RootCA
? ? ? ? Subject: DC=COM, DC=Example, CN=IntermediateCA
? ? ? ? Issuer: CN=RootCA
? ? ? ? Subject: CN=RootCA'        

9- verify chain using openssl

> openssl verify -CAfile openshift-api-cert-chain.crt openShift-api.crt
openShift-api.crt: OK
        

at this point we are sure we created the certificate chain file correctly, so we start to working with Openshift now

1- Create secret that hold the API certificate

oc create secret tls api-cert --cert=openshift-api-cert-chain.crt --key=openshift-api.key -n openshift-config        

2- Add secret to the apiserver

oc patch apiserver cluster --type=merge -p '{"spec":{"servingCerts": {"namedCertificates": [{"names": ["api.ocp4.example.com"], "servingCertificate": {"name": "api-cert"}}]}}}'        

3- In any Linux machine that will talk to the API , for example the bastion or helper which usually used to run OC commands , all that machines must trust the new API certificate

# copy all ca files
cp RootCA.crt IntermediateCA.crt /usr/share/pki/ca-trust-source/anchors/


update-ca-trust enable
update-ca-trust force-enable
update-ca-trust
        

4- Edit the Kubeconfig generated during installation, comment --insecure-skip-tls-verify or any CA lines exist as it may use old internal CA , so you may need to change it with new one

5- after every thing is ok and all ClusterOperators are available try login

unset KUBECONFIG
oc login -u <username> https://api.ocp4.example.com        

This will be the End for today , I Hope you enjoy reading it and found it helpful

please also note that all examples above was tested on Openshift 4.10.25,

and here are the docs related to that topic