Verifying The New Certificate

Your system can be configured to trust your enterprise CA using the following two steps:

  • Copy your enterprise CA certificate to the /etc/pki/ca-trust/source/anchors/ directory. Change the name of the certificate if it conflicts with an existing file name in that directory.

  • Run the update-ca-trust extract command.

Access the web console to verify the new certificate. Use the oc whoami command to find the web console URL.

oc whoami --show-console

After you enter the URL in your web browser, the web console displays with a lock icon in the URL address bar indicating that the connection is secure.

If your enterprise certificate authority signed the certificate, then you web browser might indicate that it does not recognize the certificate issuer.

If a recognized certificate authority signed the master API certificate, or if you configure your system to trust your enterprise CA, then you can log in securely using the oc login command.

If you had previously logged in insecurely, you can delete the ~/.kube/ directory before using the oc login command.

Alternatively, use the --certificate-authority option with the oc login command to specify the location of the CA certificate used to sign the master API certificate.