Additional Trusted Certificate Authorities

When using your own enterprise CA, OKD can include the enterprise CA certificate in a trusted certificate authority bundle. This approach is useful if an application running in OKD must communicate with secure URLs that have been signed by your enterprise CA.

By default, applications do not trust the enterprise CA.

If your OKD cluster uses certificates signed by your enterprise CA, then check to see if your enterprise CA certificate is already included. Identify the configuration map used by the cluster proxy.

oc get proxy/cluster \
> -o jsonpath='{}{"\n"}'

Extract and then view the contents of the identified configuration map. Your own certificates, such as a wildcard certificate and enterprise CA certificate, are listed at the top.

Comments might exist in the configuration map providing information about your certificates.

oc extract configmap <CONFIGMAP-NAME> \
> -n openshift-config --confirm
less ca-bundle.crt
...output omitted...

If the configuration map does not contain the enterprise CA certificate, then modify the configuration map to append the certificate. Combine the wildcard certificate and the enterprise CA certificate in a new PEM file.

Adding comments, such as # Wildcard Cert above the wildcard certificate and # Enterprise CA, above the enterprise CA certificate makes it easier to identify the certificates when viewing the configuration map at a later time.

Replace the previously identified configuration map with the new certificate.

oc set data configmap <CONFIGMAP-NAME> \
> --from-file ca-bundle.crt=<PATH-TO-NEW-CERTIFICATE> -n openshift-config