After installing OpenShift you'll find a number of certificate authorities which are used to issue ingress, api certs. Even in a test environment you will want to configure your clients to trust them. This script will extract certs from the kubeconfig into files containing a single cert so you can more easily do so.
Last active
March 6, 2026 10:08
-
-
Save dlbewley/639bc786e3eb595362bf807225570abf to your computer and use it in GitHub Desktop.
Extract OpenShift CA Certificates from Install Generated Kubeconfig
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| cat $KUBECONFIG \ | |
| | yq e '.clusters[0].cluster."certificate-authority-data"' \ | |
| | base64 -d > kubeconfig-ca-data.pem | |
| split -p "-----BEGIN CERTIFICATE-----" kubeconfig-ca-data.pem cert- | |
| for c in cert-??; do | |
| subject=`openssl x509 -in $c -noout -subject | sed 's/^.*CN[[:space:]]*=[[:space:]]*\(.*\)/\1/'` | |
| echo $subject | |
| mv $c "${subject}.pem" | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I've tested it on a Fedora Linux and it's not working beacuse of the split "-p" parameter which seems that it doesn't exist for that distro.
I've found a serverfault post that showed an alternative by using csplit and it should work for everybody else who has the same issue I've encountered.
I've replaced line 6 with the following one and it worked for me (Fedora Linux 43):
csplit -s -z -f cert- kubeconfig-ca-data.pem '/-----BEGIN CERTIFICATE-----/' '{*}'