Custom Certificate in OpenShift

Zhimin Wen
4 min readOct 23, 2022
Image by Gerhard from Pixabay

Most of the company with an established IT system will have their own Public Key Infrastrcture (PKI) in place. In the OpenShift Container Platform, how we integrate it with the existing PKI? This paper examines how we can use the external certificate for the OCP platform or for the container application.

Trusted Certificate Authority

You may have an CA that are trusted within the Enterprise, but its self-signed. For an example, you are running a mirror registry with a certificate singed by the Enterprise CA. At the mirror registry OS, you may update the root ca cert to make it trusted by the OS and application. For an example for Redhat flavor Linux,

cp ca-bundle.pem /usr/share/pki/ca-trust-source/anchors/

The ca-bundle.pem file could be your root CA, intermediate CA concatenated together.

Add Custom CA during Installation

By default, OpenShift only support those well known CA authorities. To bring in custom CA, during installation time you need to have the extra fields, additionalTrustBundle, defined in your install-config.yaml for the OCP installation,

additionalTrustBundle: |