For the doc at docs/sts-migrate-to-private-bucket.md covering how one can update an existing OpenShift AWS cluster from using a public S3 bucket to a CloudFront distribution to distribute the required JWKS key there is a step that asks the user to compute the fingerprint for the an certificate issued to CloudFront distribution to allow AWS IAM to verify trust certificates issued by that CA without having to update the trust trusts when the signing certificate is rotated.
However, the openssl command example in the doc appears to compute the fingerprint of the leaf/server certificate for the CloudFront distribution, since openssl x509 consumes only the first PEM certificate from the output openssl s_client is invoked.
The documentation issue is of minimal impact as the linked documentation to obtaining the fingerprint states that if the certificate is issued by one of the CA that AWS owns/trusts, fingerprint verification is skipped, i.e., for CloudFront distributions using the default certificates or a certificate issued by AWS ACM the incorrect fingerprint does not impact validation.
For verification purposes, the example should be updated to reflect AWS documentation on that the correct thumbprint to obtain is for the intermediate CA certificate that issued the leaf certificate used to secure the CloudFront distribution.
For the creation of the OIDC IAM Provider, could instead recommend is relying on AWS IAM to obtain the fingerprint as the same linked doc explains AWS IAM will attempt to automatically obtain the intermediate CA fingerprint for the given server/leaf certificate.
For the doc at
docs/sts-migrate-to-private-bucket.mdcovering how one can update an existing OpenShift AWS cluster from using a public S3 bucket to a CloudFront distribution to distribute the required JWKS key there is a step that asks the user to compute the fingerprint for the an certificate issued to CloudFront distribution to allow AWS IAM to verify trust certificates issued by that CA without having to update the trust trusts when the signing certificate is rotated.However, the openssl command example in the doc appears to compute the fingerprint of the leaf/server certificate for the CloudFront distribution, since
openssl x509consumes only the first PEM certificate from the outputopenssl s_clientis invoked.The documentation issue is of minimal impact as the linked documentation to obtaining the fingerprint states that if the certificate is issued by one of the CA that AWS owns/trusts, fingerprint verification is skipped, i.e., for CloudFront distributions using the default certificates or a certificate issued by AWS ACM the incorrect fingerprint does not impact validation.
For verification purposes, the example should be updated to reflect AWS documentation on that the correct thumbprint to obtain is for the intermediate CA certificate that issued the leaf certificate used to secure the CloudFront distribution.
For the creation of the OIDC IAM Provider, could instead recommend is relying on AWS IAM to obtain the fingerprint as the same linked doc explains AWS IAM will attempt to automatically obtain the intermediate CA fingerprint for the given server/leaf certificate.