Certificate interactions

How to inspect or modify certificates

When working with SSL, you’ll need to verify certificates often. This section should provide you some tips.

Example Root CA certificate in PEM format:

Details 
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

Keystore Explorer

When working with certificates, it is important to be able to read certificate details. A recommended tool is KeyStore Explorer that enables you to inspect certificates in great detail, but also to create or modify keystores and truststores.

OpenSSL

With openssl, (Documentation here) you can verify certificates exposed on endpoints and inspect certificates via a terminal. OpenSSL can be installed locally or used from a Pod, for example the Kafka broker Pods have openssl installed.

Verify exposed certificates

openssl s_client -connect HOST:PORT -showcerts

This will present you the full certificate chain including CNs and expiry dates.
In section Acceptable client certificate CA names a list of trusted Root CAs is shown.

Inspect certificate

openssl x509 -in CERTIFICATE_NAME.pem -subject -issuer -dates -alias

Online

Never paste private keys in insecure locations, especially not online!

You can check TLS certificates online for example on sslchecker.com/certdecoder

Check certificate validity on Kubernetes cluster

Assuming you use cert-manager (you really should), it is possible to set up a certificate dashboard in Grafana, that can be used to check certificate status quickly.

Kubectl / OC

To check Certificates on the Kubernetes cluster directly, use the following to give a quick view of all Certificates, expiry date and renewal times.

kubectl get certificates -o json | grep '"name"\|notAfter\|renewalTime'

"name": "app-one",
    "name": "axual-dummy-cluster-issuer"
"notAfter": "2025-04-04T20:22:16Z",
"renewalTime": "2025-03-20T20:22:16Z"
"name": "axual-rest-proxy",
    "name": "axual-dummy-cluster-issuer"
"notAfter": "2025-03-05T16:23:13Z",
"renewalTime": "2025-02-18T16:23:13Z",

How to update certificates

Cert-Manager

Cert-manager automatically creates new certificates when the renewalTime is reached, resulting in updated content (tls.crt and tls.key) of the target Secret.
Note that the Secret may seem unaffected at a glance (created date remains the same), but the contents have changed. To update a certificate issued by cert-manager into a kubernetes TLS Secret, do the following:

  • Ensure the Certificate resource exists that request certificate creation from cert-manager

  • (Optional) Make a copy of the certificate data, for comparison or to be defensive

  • Delete the Secret, it will be recreated directly

  • (Optional) Compare the new certificate and key data with the old version

  • Restart the component using the Secret; otherwise the component will keep using the now replaced certificate.

  • Verify the connectivity of the component

Manual

When cert-manager is not an option, for example, with certificates signed elsewhere, a manual update of a Secret containing a certificate is required.

  • Make a defensive copy of the data contained in the old Secret

  • Replace the fields with the new certificate data

    • Ensure re-using the same data field names (tls.crt, tls.key etc)

    • Kubernetes Secrets require base64 encoded data

  • Restart the component(s) using the Secret

  • Verify the connectivity of the component