[jira] [Work logged] (KNOX-3255) Return signing keystore certificate when SSL is disabled in Admin API publicCert endpoint

Thu, 19 Feb 2026 02:02:13 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-3255?focusedWorklogId=1006055&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006055
 ]

ASF GitHub Bot logged work on KNOX-3255:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/Feb/26 10:01
            Start Date: 19/Feb/26 10:01
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #1149:
URL: https://github.com/apache/knox/pull/1149

   [KNOX-3255](https://issues.apache.org/jira/browse/KNOX-3255) - Return 
signing keystore certificate when SSL is disabled in Admin API publicCert 
endpoint
   
   ## What changes were proposed in this pull request?
   
   This change improves the Admin API endpoint:
   ```
   GET /knoxtopology/admin/api/v1/metadata/publicCert
   ```
   to return a valid public certificate even when gateway SSL is disabled.
   
   Previously, the endpoint attempted to return the SSL certificate chain only. 
When SSL was disabled, no certificate chain was available and the request 
failed with SERVICE_UNAVAILABLE.
   
   **New Behavior**
   
   The endpoint now selects the certificate source based on the gateway SSL 
configuration:
   
   - SSL enabled → return the SSL certificate chain (unchanged behavior)
   - SSL disabled → return the certificate chain of the configured signing key 
from the signing keystore
   
   This ensures that clients can still obtain a usable public certificate for 
signature verification in non-SSL deployments.
   
   ## How was this patch tested?
   
   ```
   $ curl -ik 
http://central.knox.com:9090/gateway/metadata/api/v1/metadata/publicCert
   HTTP/1.1 200 OK
   Date: Thu, 19 Feb 2026 07:58:31 GMT
   Content-Disposition: attachment;filename=gateway-client-trust.pem
   Content-Type: application/octet-stream
   Content-Length: 1250
   
   -----BEGIN CERTIFICATE-----
   MIIDcDCCAligAwIBAgIJAL4DmOguvZBHMA0GCSqGSIb3DQEBCwUAMF8xEjAQBgNVBAMMCWxvY2Fs
   aG9zdDENMAsGA1UECwwEVGVzdDEPMA0GA1UECgwGSGFkb29wMQ0wCwYDVQQHDARUZXN0MQ0wCwYD
   VQQIDARUZXN0MQswCQYDVQQGEwJVUzAeFw0yNjAyMTkwNzE1MDZaFw0yNzAyMTkwNzE1MDZaMF8x
   EjAQBgNVBAMMCWxvY2FsaG9zdDENMAsGA1UECwwEVGVzdDEPMA0GA1UECgwGSGFkb29wMQ0wCwYD
   VQQHDARUZXN0MQ0wCwYDVQQIDARUZXN0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQAD
   ggEPADCCAQoCggEBANnyYe/C3vzk1W/ZCqnFm+g7uGgoozyhoLrGSgp3j3kOJFePZugnzm6NaqHv
   aoHftn92gDDzznE1VWROgBW7xwIFzc4eanyzhg9eUh4ED2LI856H09Xnl2eEpsvS2ymgnKwyxA1o
   ieMegaz/WBi7zWElIhRw+zlxh27/2/OrbJ16G1uyT962qY6v22Be67rJmaJVwCGmE6kG1Y/4b27V
   SGXp5z1rwJs77EBve4d/AJKQhRYzrDmhzLSXOEjha9x3OL9HCbc5EP+/2RpUj0u3dNG+U5VoBn1L
   inX+Pe/1IiazZWtOS4MJ9UkVEE1Knvd1jOYHYwGRX595cFBsMU+gU28CAwEAAaMvMC0wKwYDVR0R
   BCQwIoIVa25veC02YmY5ZjU1Njg3LWRmNm1ugglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEB
   AJIJ3g175j2jmriNuyPf22oP+jJ5llII5hnTRlprcNitiIEV4Oq5tMm6Bv8m87ceNFVtq7Ssg2wF
   EllI0wbgfTXrYlVYchspt8nudR0I2I1KslmJghqBYIRDb397W4INoWTmzWyAuZENZQUqtS7y7+Ey
   G6AUuPMGdIszHu7L99gbTW0j+9/fG6ZBaI+3Nc1GMWVdGpzO1cN5lAkEv+FLE5G0CmFDDrZ3e75w
   5pem07xbrxrV1IHrdQleL1jRqB39eB7c+I2eeW1910oOI9Y3DYN1eXmQcwvet6SqSe46RBBnztSD
   yGBFPrHpWscFOw6NK38YtWPxQyAKPL2qEwvO0pI=
   -----END CERTIFICATE-----
   ```
   The Knox instance on `central.knox.com` runs with SSL disabled.
   
   ## Integration Tests
   N/A
   
   ## UI changes
   N/A
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1006055)
    Remaining Estimate: 0h
            Time Spent: 10m

> Return signing keystore certificate when SSL is disabled in Admin API 
> publicCert endpoint
> -----------------------------------------------------------------------------------------
>
>                 Key: KNOX-3255
>                 URL: https://issues.apache.org/jira/browse/KNOX-3255
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> h3. Problem
> The Admin API endpoint:
> {noformat}
>  GET /knoxtopology/admin/api/v1/metadata/publicCert{noformat}
> currently returns the gateway’s public certificate chain obtained from the 
> SSL configuration. However, when SSL is disabled, no SSL certificate chain is 
> available, causing the endpoint to fail with a service unavailable response.
> This behavior prevents clients from retrieving a valid public certificate in 
> deployments where the gateway operates without HTTPS but still uses signing 
> keys (e.g., for token signing).
> h3. Proposed Improvement
> Enhance the endpoint to return an appropriate certificate chain even when SSL 
> is disabled.
> New behavior:
>  * If SSL is enabled → return the SSL public certificate chain (existing 
> behavior)
>  * If SSL is disabled → return the certificate chain associated with the 
> gateway signing key from the signing keystore
> This ensures that a meaningful public certificate is always available for 
> clients that need to verify signatures or establish trust with the gateway.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to