March 9, 2023
OpenShift creates a number of Certificate Authorities to sign TLS certificates which secure functions including load balancing of the API and Ingress services.
Recent versions of openshift-install will place all the CA certificates in the generated
Here is how to extract and split those certificates into individual files which eases the process of trusting them particularly on a Mac.
Script for Extracting Certificates
This script will extract all the certificates associated with the first cluster found in
$KUBECONFIG. You will need yq.
Extract the TLS certs from the kubeconfig generated during an OpenShift installation.
$ export KUBECONFIG=auth/kubeconfig $ ext-kubeconfig-cacerts.sh x.apps.hub.lab.bewley.net ingress-operator@1675639609 kube-apiserver-localhost-signer kube-apiserver-service-network-signer kube-apiserver-lb-signer $ ls -1 firstname.lastname@example.org kube-apiserver-lb-signer.pem kube-apiserver-localhost-signer.pem kube-apiserver-service-network-signer.pem kubeconfig-ca-data.pem x.apps.hub.lab.bewley.net.pem
Trusting the Certs
Now you may drag and drop these certs onto the Keychain app on your Mac, then set them to Always Trust. Or on your Linux box place them in