smolnar82 opened a new pull request, #1149: URL: https://github.com/apache/knox/pull/1149
[KNOX-3255](https://issues.apache.org/jira/browse/KNOX-3255) - Return signing keystore certificate when SSL is disabled in Admin API publicCert endpoint ## What changes were proposed in this pull request? This change improves the Admin API endpoint: ``` GET /knoxtopology/admin/api/v1/metadata/publicCert ``` to return a valid public certificate even when gateway SSL is disabled. Previously, the endpoint attempted to return the SSL certificate chain only. When SSL was disabled, no certificate chain was available and the request failed with SERVICE_UNAVAILABLE. **New Behavior** The endpoint now selects the certificate source based on the gateway SSL configuration: - SSL enabled → return the SSL certificate chain (unchanged behavior) - SSL disabled → return the certificate chain of the configured signing key from the signing keystore This ensures that clients can still obtain a usable public certificate for signature verification in non-SSL deployments. ## How was this patch tested? ``` $ curl -ik http://central.knox.com:9090/gateway/metadata/api/v1/metadata/publicCert HTTP/1.1 200 OK Date: Thu, 19 Feb 2026 07:58:31 GMT Content-Disposition: attachment;filename=gateway-client-trust.pem Content-Type: application/octet-stream Content-Length: 1250 -----BEGIN CERTIFICATE----- MIIDcDCCAligAwIBAgIJAL4DmOguvZBHMA0GCSqGSIb3DQEBCwUAMF8xEjAQBgNVBAMMCWxvY2Fs aG9zdDENMAsGA1UECwwEVGVzdDEPMA0GA1UECgwGSGFkb29wMQ0wCwYDVQQHDARUZXN0MQ0wCwYD VQQIDARUZXN0MQswCQYDVQQGEwJVUzAeFw0yNjAyMTkwNzE1MDZaFw0yNzAyMTkwNzE1MDZaMF8x EjAQBgNVBAMMCWxvY2FsaG9zdDENMAsGA1UECwwEVGVzdDEPMA0GA1UECgwGSGFkb29wMQ0wCwYD VQQHDARUZXN0MQ0wCwYDVQQIDARUZXN0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBANnyYe/C3vzk1W/ZCqnFm+g7uGgoozyhoLrGSgp3j3kOJFePZugnzm6NaqHv aoHftn92gDDzznE1VWROgBW7xwIFzc4eanyzhg9eUh4ED2LI856H09Xnl2eEpsvS2ymgnKwyxA1o ieMegaz/WBi7zWElIhRw+zlxh27/2/OrbJ16G1uyT962qY6v22Be67rJmaJVwCGmE6kG1Y/4b27V SGXp5z1rwJs77EBve4d/AJKQhRYzrDmhzLSXOEjha9x3OL9HCbc5EP+/2RpUj0u3dNG+U5VoBn1L inX+Pe/1IiazZWtOS4MJ9UkVEE1Knvd1jOYHYwGRX595cFBsMU+gU28CAwEAAaMvMC0wKwYDVR0R BCQwIoIVa25veC02YmY5ZjU1Njg3LWRmNm1ugglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEB AJIJ3g175j2jmriNuyPf22oP+jJ5llII5hnTRlprcNitiIEV4Oq5tMm6Bv8m87ceNFVtq7Ssg2wF EllI0wbgfTXrYlVYchspt8nudR0I2I1KslmJghqBYIRDb397W4INoWTmzWyAuZENZQUqtS7y7+Ey G6AUuPMGdIszHu7L99gbTW0j+9/fG6ZBaI+3Nc1GMWVdGpzO1cN5lAkEv+FLE5G0CmFDDrZ3e75w 5pem07xbrxrV1IHrdQleL1jRqB39eB7c+I2eeW1910oOI9Y3DYN1eXmQcwvet6SqSe46RBBnztSD yGBFPrHpWscFOw6NK38YtWPxQyAKPL2qEwvO0pI= -----END CERTIFICATE----- ``` The Knox instance on `central.knox.com` runs with SSL disabled. ## Integration Tests N/A ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
