12. 09. 2023 Lorenzo Candeago DevOps

How to Convert and Add a .pfx cert to Pulp 3 Operator

On our OpenShift cluster we use pulp3 as the repository manager.

One recent task we had to do was to add a certificate before we could expose the repository over TLS. Our IT department provided us with the certificate in .pfx format.

Following this guide for converting the certificate to a format usable by OpenShift, we first extracted the key from the .pfx file using openssl. Pulp Operator requires the certificate and the key to be stored in a secret and the key to be decrypted:

# openssl pkcs12 -nocerts -in ./pulp3.apps.rdopenshift.si.wp.lan_exp2028.pfx --out pulp3.apps.rdopenshift.si.wp.lan_exp2028.key

Next we wanted to extract the public certificate. Note that we include the full chain (-chain ) and extract only the client cert (-clcerts):

# openssl pkcs12  -clcerts -nokeys -chain -in ./pulp3.apps.rdopenshift.si.wp.lan_exp2028.pfx --out pulp3.apps.rdopenshift.si.wp.lan_exp2028.crt

If we use a custom CA, we can extract that too from the .pfx file:

# openssl pkcs12  -cacerts -nokeys -chain -in ./pulp3.apps.rdopenshift.si.wp.lan_exp2028.pfx --out pulp3.apps.rdopenshift.si.wp.lan_exp2028-ca.crt

The next step is to decrypt the key:

# openssl rsa -in pulp3.apps.rdopenshift.si.wp.lan_exp2028.key -out pulp3.apps.rdopenshift.si.wp.lan_exp2028-decrypted.key

Now we can finally create the secret:

oc create secret generic pulp3-route-certs --from-file=certificate=../pulp3.apps.rdopenshift.si.wp.lan_exp2028.crt --from-file=key=../pulp3.apps.rdopenshift.si.wp.lan_exp2028-decrypted.key --from-file=caCertificate=pulp3.apps.rdopenshift.si.wp.lan_exp2028-ca.crt
secret/pulp3-route-certs created

And add the secret to the Pulp Operator Custom Resource yaml: 

spec:
    route_tls_secret: pulp3-route-certs

We can now verify that the Operator uses the correct certificates by checking the certificate exposed by the Operator route:

These Solutions are Engineered by Humans

Did you read this article because you’re knowledgeable about networking? Do you have the skills necessary to manage networks? We’re currently hiring for roles like this as well as other roles here at Würth Phoenix.

Lorenzo Candeago

Lorenzo Candeago

DevOps Engineer at Würth Phoenix

Author

Lorenzo Candeago

DevOps Engineer at Würth Phoenix

Latest posts by Lorenzo Candeago

30. 10. 2023 DevOps
How to Fix OpenShift Console not Showing the Characters in Firefox
30. 10. 2023 DevOps
LVM Disks on Azure for Dockerized Applications
06. 10. 2023 Development, DevOps
How to Test Beta Repos for RedHat 8.9 in a Container
25. 08. 2023 DevOps
Debug and Workarounds for a Stuck Update on OpenShift 4.13.6
19. 04. 2023 Bug Fixes, NetEye
Bug Fix for NetEye 4.29
See All

Related Content

Tags: , ,

24. 12. 2023 Development, DevOps, NetEye

How We Want to Avoid Breaking the NetEye User Guide (Again)

A few months ago while navigating through our NetEye User Guide we noticed that it had a small bug that caused some words in the right-side menu to be slightly truncated in the particular case where that menu contained some Read More
01. 12. 2023 Development, DevOps

How to Install Matomo on OpenShift

Recently we felt the need to collect anonymous metrics about how our users are visiting our websites. After some investigation, the development team proposed using Matomo: a free and open source software project which collects usage metrics while guaranteeing 100% Read More
28. 11. 2023 DevOps

My OpenShift Journey #7: Enabling Persistent Monitoring

Some days after installing an OpenShift cluster you may notice a warning related to insights: the system is complaining because metrics are not stored in a persistent way and a restart of the container may cause the loss of metrics. Read More
30. 10. 2023 DevOps

How to Fix OpenShift Console not Showing the Characters in Firefox

Recently when opening a console in the web-ui of OpenShift in Firefox, I saw the following: This doesn't happen when opening the console using Chromium. In the Firefox debugger, we can see that we have the following error: Blocked https://console-openshift-console.apps.rdopenshift.si.wp.lan/k8s/ns/openshift-pipelines/pods/el-azure-provisioner-pipeline-event-listener-b4c598b65-5j4xl/terminal Read More
25. 08. 2023 DevOps

Debug and Workarounds for a Stuck Update on OpenShift 4.13.6

Today we wanted to update our OpenShift cluster, and after a while we came up against the following error: Not good… Let's start by checking the clusterversion to investigate if we can find any errors: oc get clusterversion NAME VERSION Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive