This is a blog with random OpenShift, Kubernetes, OpenStack and Linux related notes so I don't forget things. If you find something inaccurate or that could be fixed, please file a bug report here.

View on GitHub

Back to home

22 June 2016

Where is the certmonger local CA cert?

by Juan Antonio Osorio Robles

There is a TLDR in the end.

So, I’m looking a bit more into certmonger. And in this case, I want to replace the hardcoded openssl commands that autogenerate the CA and server certificates for the undercloud, for a certmonger-based solution.

While setting up the pieces in the undercloud code I decided to first try with the ‘local’ CA from certmonger, to be able to test what I’m doing easily. But then I realized that I actually have no clue where this certificate is stored.

So after digging a bit in the certmonger code-base, I found out that the certificate is stored in a pkcs12 file in this path: /var/lib/certmonger/local. The file name is creds, and in order to check out the contents, you can do the following:

pk12util -l creds

Note that the file has no password.

So, even if the PKCS12 format is nice and all, we need the certificate in PEM format to be actually used by the overcloud. So we can export it with the following command:

openssl pkcs12 -in creds -out $OUTPUT_FILE -nokeys -nodes -passin pass:""

-nokeys- is used to prevent the private key from being exported as well to the PEM file. For our use-case, we only need the certificate.


In Fedora and CentOS It’s in a PKCS12 file which is this:


Important note

Please note that the ‘local’ CA from certmonger shouldn’t be used in production. A real CA should be used instead.

tags: tripleo - certmonger

Back to home