The default API server certificate is issued by an internal OpenShift Container Platform cluster CA. Clients outside of the cluster will not be able to verify the API server’s certificate by default. This certificate can be replaced by one that is issued by a CA that clients trust.

Add an API server default certificate

To allow clients outside the cluster to validate the API server’s certificate, you can replace the default certificate with one that is issued by a public or organizational CA.

Prerequisites
  • You must have a valid certificate and key in the PEM format.

Procedure
  1. Create a secret that contains the certificate and key in the openshift-config namespace.

    $ oc create secret tls <certificate> \(1)
         --cert=</path/to/cert.crt> \(2)
         --key=</path/to/cert.key> \(3)
         -n openshift-config
    1 <certificate> is the name of the secret that will contain the certificate.
    2 </path/to/cert.crt> is the path to the certificate on your local file system.
    3 </path/to/cert.key> is the path to the private key associated with this certificate.
  2. Update the API server to reference the created secret.

    $ oc patch apiserver cluster \
         --type=merge -p \
         '{"spec": {"servingCerts": {"defaultServingCertificate":
         {"name": "<certificate>"}}}}' (1)
    1 Replace <certificate> with the name used for the secret in the previous step.
  3. Examine the apiserver/cluster object and confirm the secret is now referenced.

    $ oc describe apiserver cluster
    ...
    Spec:
      Serving Certs:
        Default Serving Certificate:
          Name:  <certificate>
    ...

Add an API server named certificate

The default API server certificate is issued by an internal OpenShift Container Platform cluster CA. You can add additional certificates to the API server to send based on the client’s requested URL, such as when a reverse proxy or load balancer is used.

Prerequisites
  • You must have the certificate and key, in the PEM format, for the client’s URL.

  • The certificate must be issued for the URL used by the client to reach the API server.

  • The certificate must have the subjectAltName extension for the URL.

Procedure
  1. Create a secret that contains the certificate and key in the openshift-config namespace.

    $ oc create secret tls <certificate> \(1)
         --cert=</path/to/cert.crt> \(2)
         --key=</path/to/cert.key> \(3)
         -n openshift-config
    1 <certificate> is the name of the secret that will contain the certificate.
    2 </path/to/cert.crt> is the path to the certificate on your local file system.
    3 </path/to/cert.key> is the path to the private key associated with this certificate.
  2. Update the API server to reference the created secret.

    $ oc patch apiserver cluster \
         --type=merge -p \
         '{"spec":{"servingCerts": {"namedCertificates":
         [{"names": ["<hostname>"], (1)
         "servingCertificate": {"name": "<certificate>"}}]}}}' (2)
    1 Replace <hostname> with the hostname that the API server should provide the certificate for.
    2 Replace <certificate> with the name used for the secret in the previous step.
  3. Examine the apiserver/cluster object and confirm the secret is now referenced.

    $ oc describe apiserver cluster
    ...
    Spec:
      Serving Certs:
        Named Certificates:
          Names:
            <hostname>
          Serving Certificate:
            Name:  <certificate>
    ...