@@ -2792,15 +2792,15 @@ _oadm_ca_create-master-certs()

     flags+=("--cert-dir=")

     flags_with_completion+=("--cert-dir")

     flags_completion+=("_filedir")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

     flags+=("--hostnames=")

     flags+=("--master=")

     flags+=("--overwrite")

     flags+=("--public-master=")

     flags+=("--signer-name=")

     flags+=("--api-version=")

-    flags+=("--certificate-authority=")

-    flags_with_completion+=("--certificate-authority")

-    flags_completion+=("_filedir")

     flags+=("--client-certificate=")

     flags_with_completion+=("--client-certificate")

     flags_completion+=("_filedir")

@@ -5536,15 +5536,15 @@ _oc_adm_ca_create-master-certs()

     flags+=("--cert-dir=")

     flags_with_completion+=("--cert-dir")

     flags_completion+=("_filedir")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

     flags+=("--hostnames=")

     flags+=("--master=")

     flags+=("--overwrite")

     flags+=("--public-master=")

     flags+=("--signer-name=")

     flags+=("--api-version=")

-    flags+=("--certificate-authority=")

-    flags_with_completion+=("--certificate-authority")

-    flags_completion+=("_filedir")

     flags+=("--client-certificate=")

     flags_with_completion+=("--client-certificate")

     flags_completion+=("_filedir")

@@ -228,6 +228,9 @@ _openshift_start_master()

     flags_with_completion=()

     flags_completion=()

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

     flags+=("--config=")

     flags_with_completion+=("--config")

     flags_completion+=("__handle_filename_extension_flag yaml|yml")

@@ -691,6 +694,9 @@ _openshift_start()

     flags_with_completion=()

     flags_completion=()

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

     flags+=("--cors-allowed-origins=")

     flags+=("--create-certs")

     flags+=("--dns=")

@@ -3347,15 +3353,15 @@ _openshift_admin_ca_create-master-certs()

     flags+=("--cert-dir=")

     flags_with_completion+=("--cert-dir")

     flags_completion+=("_filedir")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

     flags+=("--hostnames=")

     flags+=("--master=")

     flags+=("--overwrite")

     flags+=("--public-master=")

     flags+=("--signer-name=")

     flags+=("--api-version=")

-    flags+=("--certificate-authority=")

-    flags_with_completion+=("--certificate-authority")

-    flags_completion+=("_filedir")

     flags+=("--client-certificate=")

     flags_with_completion+=("--client-certificate")

     flags_completion+=("_filedir")

@@ -9015,15 +9021,15 @@ _openshift_cli_adm_ca_create-master-certs()

     flags+=("--cert-dir=")

     flags_with_completion+=("--cert-dir")

     flags_completion+=("_filedir")

+    flags+=("--certificate-authority=")

+    flags_with_completion+=("--certificate-authority")

+    flags_completion+=("_filedir")

     flags+=("--hostnames=")

     flags+=("--master=")

     flags+=("--overwrite")

     flags+=("--public-master=")

     flags+=("--signer-name=")

     flags+=("--api-version=")

-    flags+=("--certificate-authority=")

-    flags_with_completion+=("--certificate-authority")

-    flags_completion+=("_filedir")

     flags+=("--client-certificate=")

     flags_with_completion+=("--client-certificate")

     flags_completion+=("_filedir")

@@ -777,9 +777,9 @@ os::util::host_platform() {

 os::util::sed() {

   if [[ "$(go env GOHOSTOS)" == "darwin" ]]; then

-  	sed -i '' $@

+  	sed -i '' "$@"

   else

-  	sed -i'' $@

+  	sed -i'' "$@"

   fi

 }

@@ -2,6 +2,7 @@ package admin

 import (

 	"errors"

+	"fmt"

 	"io"

 	"io/ioutil"

@@ -10,6 +11,7 @@ import (

 	kapi "k8s.io/kubernetes/pkg/api"

 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"

+	"k8s.io/kubernetes/pkg/util"

 )

 const CreateClientCommandName = "create-api-client-config"

@@ -23,7 +25,7 @@ type CreateClientOptions struct {

 	User   string

 	Groups []string

-	APIServerCAFile    string

+	APIServerCAFiles   []string

 	APIServerURL       string

 	PublicAPIServerURL string

 	Output             io.Writer

@@ -67,7 +69,7 @@ func NewCommandCreateClient(commandName string, fullName string, out io.Writer)

 	flags.StringVar(&options.APIServerURL, "master", "https://localhost:8443", "The API server's URL.")

 	flags.StringVar(&options.PublicAPIServerURL, "public-master", "", "The API public facing server's URL (if applicable).")

-	flags.StringVar(&options.APIServerCAFile, "certificate-authority", "openshift.local.config/master/ca.crt", "Path to the API server's CA file.")

+	flags.StringSliceVar(&options.APIServerCAFiles, "certificate-authority", []string{"openshift.local.config/master/ca.crt"}, "Files containing signing authorities to use to verify the API server's serving certificate.")

 	// autocompletion hints

 	cmd.MarkFlagFilename("client-dir")

@@ -89,8 +91,14 @@ func (o CreateClientOptions) Validate(args []string) error {

 	if len(o.APIServerURL) == 0 {

 		return errors.New("master must be provided")

 	}

-	if len(o.APIServerCAFile) == 0 {

+	if len(o.APIServerCAFiles) == 0 {

 		return errors.New("certificate-authority must be provided")

+	} else {

+		for _, caFile := range o.APIServerCAFiles {

+			if _, err := util.CertPoolFromFile(caFile); err != nil {

+				return fmt.Errorf("certificate-authority must be a valid certificate file: %v", err)

+			}

+		}

 	}

 	if o.SignerCertOptions == nil {

@@ -129,17 +137,17 @@ func (o CreateClientOptions) CreateClientFolder() error {

 		return err

 	}

-	// copy the CA file over

-	if caBytes, err := ioutil.ReadFile(o.APIServerCAFile); err != nil {

-		return err

-	} else if err := ioutil.WriteFile(clientCopyOfCAFile, caBytes, 0644); err != nil {

-		return nil

+	// copy the CA file(s) over

+	if caBytes, readErr := readFiles(o.APIServerCAFiles, []byte("\n")); readErr != nil {

+		return readErr

+	} else if writeErr := ioutil.WriteFile(clientCopyOfCAFile, caBytes, 0644); writeErr != nil {

+		return writeErr

 	}

 	createKubeConfigOptions := CreateKubeConfigOptions{

 		APIServerURL:       o.APIServerURL,

 		PublicAPIServerURL: o.PublicAPIServerURL,

-		APIServerCAFile:    clientCopyOfCAFile,

+		APIServerCAFiles:   []string{clientCopyOfCAFile},

 		CertFile: clientCertFile,

 		KeyFile:  clientKeyFile,

@@ -2,6 +2,7 @@ package admin

 import (

 	"errors"

+	"fmt"

 	"io"

 	"io/ioutil"

 	"os"

@@ -12,6 +13,7 @@ import (

 	kapi "k8s.io/kubernetes/pkg/api"

 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"

+	"k8s.io/kubernetes/pkg/util"

 	cliconfig "github.com/openshift/origin/pkg/cmd/cli/config"

 	"github.com/openshift/origin/pkg/cmd/server/crypto"

@@ -24,7 +26,7 @@ const CreateKubeConfigCommandName = "create-kubeconfig"

 type CreateKubeConfigOptions struct {

 	APIServerURL       string

 	PublicAPIServerURL string

-	APIServerCAFile    string

+	APIServerCAFiles   []string

 	CertFile string

 	KeyFile  string

@@ -87,7 +89,7 @@ users:

 	flags.StringVar(&options.APIServerURL, "master", "https://localhost:8443", "The API server's URL.")

 	flags.StringVar(&options.PublicAPIServerURL, "public-master", "", "The API public facing server's URL (if applicable).")

-	flags.StringVar(&options.APIServerCAFile, "certificate-authority", "openshift.local.config/master/ca.crt", "Path to the API server's CA file.")

+	flags.StringSliceVar(&options.APIServerCAFiles, "certificate-authority", []string{"openshift.local.config/master/ca.crt"}, "Files containing signing authorities to use to verify the API server's serving certificate.")

 	flags.StringVar(&options.CertFile, "client-certificate", "", "The client cert file.")

 	flags.StringVar(&options.KeyFile, "client-key", "", "The client key file.")

 	flags.StringVar(&options.ContextNamespace, "namespace", kapi.NamespaceDefault, "Namespace for this context in .kubeconfig.")

@@ -115,8 +117,14 @@ func (o CreateKubeConfigOptions) Validate(args []string) error {

 	if len(o.KeyFile) == 0 {

 		return errors.New("client-key must be provided")

 	}

-	if len(o.APIServerCAFile) == 0 {

+	if len(o.APIServerCAFiles) == 0 {

 		return errors.New("certificate-authority must be provided")

+	} else {

+		for _, caFile := range o.APIServerCAFiles {

+			if _, err := util.CertPoolFromFile(caFile); err != nil {

+				return fmt.Errorf("certificate-authority must be a valid certificate file: %v", err)

+			}

+		}

 	}

 	if len(o.ContextNamespace) == 0 {

 		return errors.New("namespace must be provided")

@@ -132,7 +140,7 @@ func (o CreateKubeConfigOptions) CreateKubeConfig() (*clientcmdapi.Config, error

 	glog.V(4).Infof("creating a .kubeconfig with: %#v", o)

 	// read all the referenced filenames

-	caData, err := ioutil.ReadFile(o.APIServerCAFile)

+	caData, err := readFiles(o.APIServerCAFiles, []byte("\n"))

 	if err != nil {

 		return nil, err

 	}

@@ -4,7 +4,9 @@ import (

 	"errors"

 	"fmt"

 	"io"

+	"io/ioutil"

 	"net/url"

+	"os"

 	"path/filepath"

 	"github.com/golang/glog"

@@ -12,6 +14,7 @@ import (

 	kapi "k8s.io/kubernetes/pkg/api"

 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"

+	"k8s.io/kubernetes/pkg/util"

 	utilerrors "k8s.io/kubernetes/pkg/util/errors"

 	"github.com/openshift/origin/pkg/util/parallel"

@@ -68,6 +71,9 @@ type CreateMasterCertsOptions struct {

 	CertDir    string

 	SignerName string

+	APIServerCAFiles []string

+	CABundleFile     string

+

 	Hostnames []string

 	APIServerURL       string

@@ -99,6 +105,7 @@ func NewCommandCreateMasterCerts(commandName string, fullName string, out io.Wri

 	flags.StringVar(&options.CertDir, "cert-dir", "openshift.local.config/master", "The certificate data directory.")

 	flags.StringVar(&options.SignerName, "signer-name", DefaultSignerName(), "The name to use for the generated signer.")

+	flags.StringSliceVar(&options.APIServerCAFiles, "certificate-authority", options.APIServerCAFiles, "Optional files containing signing authorities to use (in addition to the generated signer) to verify the API server's serving certificate.")

 	flags.StringVar(&options.APIServerURL, "master", "https://localhost:8443", "The API server's URL.")

 	flags.StringVar(&options.PublicAPIServerURL, "public-master", "", "The API public facing server's URL (if applicable).")

@@ -107,6 +114,7 @@ func NewCommandCreateMasterCerts(commandName string, fullName string, out io.Wri

 	// autocompletion hints

 	cmd.MarkFlagFilename("cert-dir")

+	cmd.MarkFlagFilename("certificate-authority")

 	return cmd

 }

@@ -140,6 +148,12 @@ func (o CreateMasterCertsOptions) Validate(args []string) error {

 		return errors.New("public master must be a valid URL (e.g. https://example.com:8443)")

 	}

+	for _, caFile := range o.APIServerCAFiles {

+		if _, err := util.CertPoolFromFile(caFile); err != nil {

+			return fmt.Errorf("certificate authority must be a valid certificate file: %v", err)

+		}

+	}

+

 	return nil

 }

@@ -168,6 +182,7 @@ func (o CreateMasterCertsOptions) CreateMasterCerts() error {

 	}

 	errs := parallel.Run(

+		func() error { return o.createCABundle(&getSignerCertOptions) },

 		func() error { return o.createServerCerts(&getSignerCertOptions) },

 		func() error { return o.createAPIClients(&getSignerCertOptions) },

 		func() error { return o.createEtcdClientCerts(&getSignerCertOptions) },

@@ -187,7 +202,7 @@ func (o CreateMasterCertsOptions) createAPIClients(getSignerCertOptions *SignerC

 		createKubeConfigOptions := CreateKubeConfigOptions{

 			APIServerURL:       o.APIServerURL,

 			PublicAPIServerURL: o.PublicAPIServerURL,

-			APIServerCAFile:    getSignerCertOptions.CertFile,

+			APIServerCAFiles:   append([]string{getSignerCertOptions.CertFile}, o.APIServerCAFiles...),

 			CertFile: clientCertInfo.CertLocation.CertFile,

 			KeyFile:  clientCertInfo.CertLocation.KeyFile,

@@ -252,6 +267,21 @@ func (o CreateMasterCertsOptions) createClientCert(clientCertInfo ClientCertInfo

 	return nil

 }

+func (o CreateMasterCertsOptions) createCABundle(getSignerCertOptions *SignerCertOptions) error {

+	caFiles := []string{getSignerCertOptions.CertFile}

+	caFiles = append(caFiles, o.APIServerCAFiles...)

+	caData, err := readFiles(caFiles, []byte("\n"))

+	if err != nil {

+		return err

+	}

+

+	// ensure parent dir

+	if err := os.MkdirAll(o.CertDir, os.FileMode(0755)); err != nil {

+		return err

+	}

+	return ioutil.WriteFile(DefaultCABundleFile(o.CertDir), caData, 0644)

+}

+

 func (o CreateMasterCertsOptions) createServerCerts(getSignerCertOptions *SignerCertOptions) error {

 	for _, serverCertInfo := range DefaultServerCerts(o.CertDir) {

 		serverCertOptions := CreateServerCertOptions{

@@ -18,6 +18,7 @@ import (

 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"

 	"k8s.io/kubernetes/pkg/master/ports"

 	"k8s.io/kubernetes/pkg/runtime"

+	"k8s.io/kubernetes/pkg/util"

 	"github.com/openshift/origin/pkg/cmd/flagtypes"

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

@@ -47,7 +48,7 @@ type CreateNodeConfigOptions struct {

 	ServerCertFile    string

 	ServerKeyFile     string

 	NodeClientCAFile  string

-	APIServerCAFile   string

+	APIServerCAFiles  []string

 	APIServerURL      string

 	Output            io.Writer

 	NetworkPluginName string

@@ -93,7 +94,7 @@ func NewCommandNodeConfig(commandName string, fullName string, out io.Writer) *c

 	flags.StringVar(&options.ServerKeyFile, "server-key", "", "The server key file for the node to serve secure traffic.")

 	flags.StringVar(&options.NodeClientCAFile, "node-client-certificate-authority", options.NodeClientCAFile, "The file containing signing authorities to use to verify requests to the node. If empty, all requests will be allowed.")

 	flags.StringVar(&options.APIServerURL, "master", options.APIServerURL, "The API server's URL.")

-	flags.StringVar(&options.APIServerCAFile, "certificate-authority", options.APIServerCAFile, "Path to the API server's CA file.")

+	flags.StringSliceVar(&options.APIServerCAFiles, "certificate-authority", options.APIServerCAFiles, "Files containing signing authorities to use to verify the API server's serving certificate.")

 	flags.StringVar(&options.NetworkPluginName, "network-plugin", options.NetworkPluginName, "Name of the network plugin to hook to for pod networking.")

 	// autocompletion hints

@@ -115,7 +116,7 @@ func NewDefaultCreateNodeConfigOptions() *CreateNodeConfigOptions {

 	// TODO: replace me with a proper round trip of config options through decode

 	options.DNSDomain = "cluster.local"

 	options.APIServerURL = "https://localhost:8443"

-	options.APIServerCAFile = "openshift.local.config/master/ca.crt"

+	options.APIServerCAFiles = []string{"openshift.local.config/master/ca.crt"}

 	options.NodeClientCAFile = "openshift.local.config/master/ca.crt"

 	options.ImageTemplate = variable.NewDefaultImageTemplate()

@@ -155,8 +156,14 @@ func (o CreateNodeConfigOptions) Validate(args []string) error {

 	if len(o.APIServerURL) == 0 {

 		return errors.New("--master must be provided")

 	}

-	if _, err := os.Stat(o.APIServerCAFile); len(o.APIServerCAFile) == 0 || err != nil {

-		return fmt.Errorf("--certificate-authority, %q must be a valid certificate file", cmdutil.GetDisplayFilename(o.APIServerCAFile))

+	if len(o.APIServerCAFiles) == 0 {

+		return fmt.Errorf("--certificate-authority must be a valid certificate file")

+	} else {

+		for _, caFile := range o.APIServerCAFiles {

+			if _, err := util.CertPoolFromFile(caFile); err != nil {

+				return fmt.Errorf("--certificate-authority must be a valid certificate file: %v", err)

+			}

+		}

 	}

 	if len(o.Hostnames) == 0 {

 		return errors.New("at least one hostname must be provided")

@@ -193,6 +200,23 @@ func (o CreateNodeConfigOptions) Validate(args []string) error {

 	return nil

 }

+// readFiles returns a byte array containing the contents of all the given filenames,

+// optionally separated by a delimiter, or an error if any of the files cannot be read

+func readFiles(srcFiles []string, separator []byte) ([]byte, error) {

+	data := []byte{}

+	for _, srcFile := range srcFiles {

+		fileData, err := ioutil.ReadFile(srcFile)

+		if err != nil {

+			return nil, err

+		}

+		if len(data) > 0 && len(separator) > 0 {

+			data = append(data, separator...)

+		}

+		data = append(data, fileData...)

+	}

+	return data, nil

+}

+

 func CopyFile(src, dest string, permissions os.FileMode) error {

 	// copy the cert and key over

 	if content, err := ioutil.ReadFile(src); err != nil {

@@ -317,11 +341,11 @@ func (o CreateNodeConfigOptions) MakeServerCert(serverCertFile, serverKeyFile st

 }

 func (o CreateNodeConfigOptions) MakeAPIServerCA(clientCopyOfCAFile string) error {

-	if err := CopyFile(o.APIServerCAFile, clientCopyOfCAFile, 0644); err != nil {

+	content, err := readFiles(o.APIServerCAFiles, []byte("\n"))

+	if err != nil {

 		return err

 	}

-

-	return nil

+	return ioutil.WriteFile(clientCopyOfCAFile, content, 0644)

 }

 func (o CreateNodeConfigOptions) MakeNodeClientCA(clientCopyOfCAFile string) error {

@@ -334,8 +358,8 @@ func (o CreateNodeConfigOptions) MakeNodeClientCA(clientCopyOfCAFile string) err

 func (o CreateNodeConfigOptions) MakeKubeConfig(clientCertFile, clientKeyFile, clientCopyOfCAFile, kubeConfigFile string) error {

 	createKubeConfigOptions := CreateKubeConfigOptions{

-		APIServerURL:    o.APIServerURL,

-		APIServerCAFile: clientCopyOfCAFile,

+		APIServerURL:     o.APIServerURL,

+		APIServerCAFiles: []string{clientCopyOfCAFile},

 		CertFile: clientCertFile,

 		KeyFile:  clientKeyFile,

@@ -39,14 +39,7 @@ func BindCreateSignerCertOptions(options *CreateSignerCertOptions, flags *pflag.

 }

 const createSignerLong = `

-Create a self-signed CA key/cert

-

-Create a self-signed CA key/cert for signing certificates used by server

-components.

-

-This is mainly intended for development/trial deployments as production

-deployments should utilize properly signed certificates (generated

-separately) or start with a properly signed CA.

+Create a self-signed CA key/cert for signing certificates used by server components.

 `

 func NewCommandCreateSignerCert(commandName string, fullName string, out io.Writer) *cobra.Command {

@@ -13,6 +13,7 @@ import (

 const (

 	CAFilePrefix     = "ca"

+	CABundlePrefix   = "ca-bundle"

 	MasterFilePrefix = "master"

 )

@@ -27,6 +28,10 @@ func DefaultSignerName() string {

 	return fmt.Sprintf("%s@%d", "openshift-signer", time.Now().Unix())

 }

+func DefaultCABundleFile(certDir string) string {

+	return DefaultCertFilename(certDir, CABundlePrefix)

+}

+

 func DefaultRootCAFile(certDir string) string {

 	return DefaultCertFilename(certDir, CAFilePrefix)

 }

@@ -63,6 +63,8 @@ type MasterArgs struct {

 	// CORS is enabled for localhost, 127.0.0.1, and the asset server by default.

 	CORSAllowedOrigins []string

+	APIServerCAFiles []string

+

 	ListenArg          *ListenArg

 	ImageFormatArgs    *ImageFormatArgs

 	KubeConnectionArgs *KubeConnectionArgs

@@ -84,6 +86,8 @@ func BindMasterArgs(args *MasterArgs, flags *pflag.FlagSet, prefix string) {

 	flags.StringVar(&args.EtcdDir, prefix+"etcd-dir", "openshift.local.etcd", "The etcd data directory.")

+	flags.StringSliceVar(&args.APIServerCAFiles, prefix+"certificate-authority", args.APIServerCAFiles, "Optional files containing signing authorities to use (in addition to the generated signer) to verify the API server's serving certificate.")

+

 	nodes := []string{}

 	flags.StringSliceVar(&nodes, prefix+"nodes", nodes, "DEPRECATED: nodes now register themselves")

 	flags.MarkDeprecated(prefix+"nodes", "Nodes register themselves at startup, and are no longer statically registered")

@@ -92,7 +96,7 @@ func BindMasterArgs(args *MasterArgs, flags *pflag.FlagSet, prefix string) {

 	// autocompletion hints

 	cobra.MarkFlagFilename(flags, prefix+"etcd-dir")

-

+	cobra.MarkFlagFilename(flags, prefix+"certificate-authority")

 }

 // NewDefaultMasterArgs creates MasterArgs with sub-objects created and default values set.

@@ -258,7 +262,7 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 		config.AssetConfig.ServingInfo.ServerCert = admin.DefaultAssetServingCertInfo(args.ConfigDir.Value())

 		if oauthConfig != nil {

-			s := admin.DefaultRootCAFile(args.ConfigDir.Value())

+			s := admin.DefaultCABundleFile(args.ConfigDir.Value())

 			oauthConfig.MasterCA = &s

 		}

@@ -266,7 +270,7 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 		if builtInKubernetes {

 			config.KubeletClientInfo.CA = admin.DefaultRootCAFile(args.ConfigDir.Value())

 			config.KubeletClientInfo.ClientCert = kubeletClientInfo.CertLocation

-			config.ServiceAccountConfig.MasterCA = admin.DefaultRootCAFile(args.ConfigDir.Value())

+			config.ServiceAccountConfig.MasterCA = admin.DefaultCABundleFile(args.ConfigDir.Value())

 		}

 		// Only set up ca/cert info for etcd connections if we're self-hosting etcd

@@ -312,6 +312,8 @@ func (o MasterOptions) CreateCerts() error {

 		SignerName:         signerName,

 		Hostnames:          hostnames.List(),

 		APIServerURL:       masterAddr.String(),

+		APIServerCAFiles:   o.MasterArgs.APIServerCAFiles,

+		CABundleFile:       admin.DefaultCABundleFile(o.MasterArgs.ConfigDir.Value()),

 		PublicAPIServerURL: publicMasterAddr.String(),

 		Output:             o.Output,

 	}

@@ -217,9 +217,9 @@ func (o NodeOptions) RunNode() error {

 func (o NodeOptions) CreateNodeConfig() error {

 	getSignerOptions := &admin.SignerCertOptions{

-		CertFile:   admin.DefaultCertFilename(o.NodeArgs.MasterCertDir, "ca"),

-		KeyFile:    admin.DefaultKeyFilename(o.NodeArgs.MasterCertDir, "ca"),

-		SerialFile: admin.DefaultSerialFilename(o.NodeArgs.MasterCertDir, "ca"),

+		CertFile:   admin.DefaultCertFilename(o.NodeArgs.MasterCertDir, admin.CAFilePrefix),

+		KeyFile:    admin.DefaultKeyFilename(o.NodeArgs.MasterCertDir, admin.CAFilePrefix),

+		SerialFile: admin.DefaultSerialFilename(o.NodeArgs.MasterCertDir, admin.CAFilePrefix),

 	}

 	var dnsIP string

@@ -253,8 +253,8 @@ func (o NodeOptions) CreateNodeConfig() error {

 		ListenAddr:          o.NodeArgs.ListenArg.ListenAddr,

 		NetworkPluginName:   o.NodeArgs.NetworkPluginName,

-		APIServerURL:    masterAddr.String(),

-		APIServerCAFile: getSignerOptions.CertFile,

+		APIServerURL:     masterAddr.String(),

+		APIServerCAFiles: []string{admin.DefaultCABundleFile(o.NodeArgs.MasterCertDir)},

 		NodeClientCAFile: getSignerOptions.CertFile,

 		Output:           o.Output,

new file mode 100755

@@ -0,0 +1,90 @@

+#!/bin/bash

+#

+# This scripts starts the OpenShift server with custom TLS certs, and verifies generated kubeconfig files can be used to talk to it.

+

+set -o errexit

+set -o nounset

+set -o pipefail

+

+OS_ROOT=$(dirname "${BASH_SOURCE}")/../..

+cd "${OS_ROOT}"

+source "${OS_ROOT}/hack/util.sh"

+source "${OS_ROOT}/hack/lib/log.sh"

+source "${OS_ROOT}/hack/lib/util/environment.sh"

+source "${OS_ROOT}/hack/cmd_util.sh"

+os::log::install_errexit

+

+os::util::environment::setup_all_server_vars "test-extended-alternate-certs/"

+reset_tmp_dir

+

+export EXTENDED_TEST_PATH="${OS_ROOT}/test/extended"

+

+function cleanup()

+{

+	out=$?

+    kill $OS_PID

+	echo "[INFO] Exiting"

+	exit $out

+}

+

+trap "exit" INT TERM

+trap "cleanup" EXIT

+

+

+echo "[INFO] Starting server as distinct processes"

+echo "[INFO] `openshift version`"

+echo "[INFO] Server logs will be at:    ${LOG_DIR}/openshift.log"

+echo "[INFO] Test artifacts will be in: ${ARTIFACT_DIR}"

+echo "[INFO] Config dir is:             ${SERVER_CONFIG_DIR}"

+

+mkdir -p ${LOG_DIR}

+

+echo "[INFO] Scan of OpenShift related processes already up via ps -ef	| grep openshift : "

+ps -ef | grep openshift

+

+mkdir -p "${SERVER_CONFIG_DIR}"

+pushd "${SERVER_CONFIG_DIR}"

+

+# Make custom CA and server cert

+os::cmd::expect_success 'oadm ca create-signer-cert --overwrite=true --cert=master/custom-ca.crt --key=master/custom-ca.key --serial=master/custom-ca.txt --name=my-custom-ca@`date +%s`'

+os::cmd::expect_success 'oadm ca create-server-cert --cert=master/custom.crt --key=master/custom.key --hostnames=localhost,customhost.com --signer-cert=master/custom-ca.crt --signer-key=master/custom-ca.key --signer-serial=master/custom-ca.txt'

+

+# Create master/node configs

+os::cmd::expect_success "openshift start --master=https://localhost:${API_PORT} --write-config=. --hostname=mynode --etcd-dir=./etcd --certificate-authority=master/custom-ca.crt"

+

+# Don't try this at home.  We don't have flags for setting etcd ports in the config, but we want deconflicted ones.  Use sed to replace defaults in a completely unsafe way

+os::util::sed "s/:4001$/:${ETCD_PORT}/g" master/master-config.yaml

+os::util::sed "s/:7001$/:${ETCD_PEER_PORT}/g" master/master-config.yaml

+# replace top-level namedCertificates config 

+os::util::sed 's#^  namedCertificates: null#  namedCertificates: [{"certFile":"custom.crt","keyFile":"custom.key","names":["localhost"]}]#' master/master-config.yaml 

+

+# Start master

+OPENSHIFT_PROFILE=web OPENSHIFT_ON_PANIC=crash openshift start master \

+ --config=master/master-config.yaml \

+ --loglevel=4 \

+&>"${LOG_DIR}/openshift.log" &

+OS_PID=$!

+

+# Wait for the server to be up

+os::cmd::try_until_success "oc whoami --config=master/admin.kubeconfig"

+

+# Verify the server is serving with the custom and internal CAs, and that the generated ca-bundle.crt works for both

+os::cmd::expect_success_and_text "curl -vvv https://localhost:${API_PORT} --cacert master/ca-bundle.crt -s 2>&1" 'my-custom-ca'

+os::cmd::expect_success_and_text "curl -vvv https://127.0.0.1:${API_PORT} --cacert master/ca-bundle.crt -s 2>&1" 'openshift-signer'

+

+# Verify kubeconfigs have connectivity to hosts serving with custom and generated certs

+os::cmd::expect_success_and_text "oc whoami --config=master/admin.kubeconfig"                                        'system:admin'

+os::cmd::expect_success_and_text "oc whoami --config=master/admin.kubeconfig --server=https://localhost:${API_PORT}" 'system:admin'

+os::cmd::expect_success_and_text "oc whoami --config=master/admin.kubeconfig --server=https://127.0.0.1:${API_PORT}" 'system:admin'

+

+os::cmd::expect_success_and_text "oc whoami --config=master/openshift-master.kubeconfig"                                        'system:openshift-master'

+os::cmd::expect_success_and_text "oc whoami --config=master/openshift-master.kubeconfig --server=https://localhost:${API_PORT}" 'system:openshift-master'

+os::cmd::expect_success_and_text "oc whoami --config=master/openshift-master.kubeconfig --server=https://127.0.0.1:${API_PORT}" 'system:openshift-master'

+

+os::cmd::expect_success_and_text "oc whoami --config=node-mynode/node.kubeconfig"                                        'system:node:mynode'

+os::cmd::expect_success_and_text "oc whoami --config=node-mynode/node.kubeconfig --server=https://localhost:${API_PORT}" 'system:node:mynode'

+os::cmd::expect_success_and_text "oc whoami --config=node-mynode/node.kubeconfig --server=https://127.0.0.1:${API_PORT}" 'system:node:mynode'

+

+kill $OS_PID

+

+popd

@@ -208,7 +208,7 @@ func CreateNodeCerts(nodeArgs *start.NodeArgs, masterURL string) error {

 	createNodeConfig.Hostnames = []string{nodeArgs.NodeName}

 	createNodeConfig.ListenAddr = nodeArgs.ListenArg.ListenAddr

 	createNodeConfig.APIServerURL = masterURL

-	createNodeConfig.APIServerCAFile = admin.DefaultCertFilename(nodeArgs.MasterCertDir, "ca")

+	createNodeConfig.APIServerCAFiles = []string{admin.DefaultCertFilename(nodeArgs.MasterCertDir, "ca")}

 	createNodeConfig.NodeClientCAFile = admin.DefaultCertFilename(nodeArgs.MasterCertDir, "ca")

 	if err := createNodeConfig.Validate(nil); err != nil {