Quick Tip: SSL Cert Expiry from Kubernetes Secrets

Quick Tips Mar 15 2020

I recently wanted to spot check a certificate for one of our Kubernetes clusters in the EU-West region to ensure it had been updated to the latest version. Normally, I would just load up the website check the certificate with Chrome. However, since we have multiple clusters and use latency-based DNS routing, all my requests get directed to the US-West cluster and not EU-West.

Instead of mucking around with curl or VPNs, I decided to just read the cert directly out of Kubernetes. We are using cert-manager to provision our certificates so all of the certs end up being stored as Secrets.

I put together a quick one-liner that prints out the expiration date for a certificate named CERTNAME:

kubectl get secret CERTNAME -o "jsonpath={.data['tls\.crt']}" | base64 -D | openssl x509 -enddate -noout

If all goes well, you should get a lovely single line of output in your console:

> notAfter=Jun  7 16:00:59 2020 GMT

Here's an explaination of each of the steps.1

  • kubectl get secret CERTNAME -o "jsonpath={.data['tls\.crt']}": Reads the certificate information stored in tls.crt out as Base64 encoded text.
  • base64 -D: Decodes the certificate into plaintext.
  • openssl x509 -enddate -noout: Parses the certificate and prints out the expiration date.

Hopefully this saves you some time if you are trying to do a quick check on your cert expiration!

  1. The pipe (|) operator in the command simply takes the output of the previous step and passes it as the input to the next. You can read about it in more detail here

← Back Home