On Fri, Feb 5, 2016 at 4:05 PM, Srinivas Naga Kotaru (skotaru) <[email protected]> wrote: > Brenton > > That is good info. Just checked all the certs validity > > Master and nodes certs are valid for 1 year. And other certs ( > master.proxy-client, master.kubelet-client.crt, openshift-router.crt, > openshift-registry.crt) are valid for 2 years > > I didn’t find any documentation on how to renewal default certs post > deployment. Can you point me to right source?
Part of the upgrade process from earlier versions of Origin and OSE involved regenerating the certificates. That process is described here: https://docs.openshift.com/enterprise/3.1/install_config/upgrades.html#updating-master-and-node-certificates While that process involves using oadm some admins may prefer to use openssl directly. In that case I would probably use 'openssl x509 -x509toreq' to create a certificate request from the preexisting certificates. Then I would sign the CSRs with the CA of my choosing. The Master would still need to have a copy of that CA or at least a subordinate CA. > > > -- > Srinivas Kotaru > > > > > > > On 2/5/16, 12:41 PM, "Brenton Leanhardt" <[email protected]> wrote: > >>On Thu, Feb 4, 2016 at 1:54 PM, Srinivas Naga Kotaru (skotaru) >><[email protected]> wrote: >>> As part of OSE 3.X installation we have to generate multiple SSL certs for >>> clusters objects to communication (master, node, router, registry etc). I >>> knew all communication with in OSE using SSL. By default we might be >>> generating certs using OSE provided CA cert and key. >>> >>> Questions >>> ======== >>> What is the validity of these certs? >> >>The main certs will be the Master and Node. If the defaults are used >>I think they will be valid for one year. >> >>Eventually we'll switch the router and registry over to using >>serviceaccount tokens. Everything pods need to securely connect to >>the Master can be injected in at pod start. The router and registry >>were created before that infrastructure existed which is why we hacked >>around it with environment variables. >> >>> Will OSE automatically monitor and renewal? >> >>Not yet. Over time more of this type of monitoring will be handled by >>OpenShift itself. >> >>> If not, infra teams has to closely monitor and renewal before expiration? >>> Can we use any SSL certs instead using OSE default CA authority? >> >>Today the deployment of a custom CA to be used for internal >>communication to the master is manual. We're working to make that >>much easier as part of >>https://trello.com/c/NsT6f1HL/38-8-atomic-openshift-installer-support-for-redeploying-certificates >> >>> What is the impact if we don’t’ renewal these internal certs? >> >>Depending on how widespread the problem was it could definitely degrade >>service. >> >>> If customer has multiple clusters in production, don’t you think it is over >>> burden to watch and renewal? >> >>We definitely understand the burden for large environments. Ideally >>we'll integrate with various type of PKI. >> >>> Any other useful information for cluster admins or planners? >>> >>> -- >>> Srinivas Kotaru >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
