Important

Note

Obtain the certificate files, noting the file names for use in future commands.

Filename Description

Filename	Description
`root-cert.pem`	Root CA certificate for PKI.
`ca-cert.pem`	Intermediate CA certificate from root CA. This is the Istio CA certificate.
`ca-key.pem`	Private key for Istio CA certificate.
`cert-chain.pem`	Full chain from `ca-cert.pem` to `root-cert.pem` (including both certificates).

root-cert.pem

Root CA certificate for PKI.

ca-cert.pem

Intermediate CA certificate from root CA. This is the Istio CA certificate.

ca-key.pem

Private key for Istio CA certificate.

cert-chain.pem

Full chain from ca-cert.pem to root-cert.pem

(including both certificates).

Use the code in the following sample.

# Concatenate all certificates into a certificate chain file
# Assuming `N` intermediate certificates denoted as `int-ca-<i>.pem`, with `i = {1,...,N}`
cat ca-cert.pem int-ca-1.pem ... int-ca-N.pem root-cert.pem > cert-chain.pem

# Create new kubernetes secret with CA certificate files
kubectl -n istio-system create secret generic cacerts \
    --from-file=./ca-cert.pem \
    --from-file=./ca-key.pem \
    --from-file=./root-cert.pem \
    --from-file=./cert-chain.pem

In a new standard Domino install, if you follow the install process, the fleetcommand-agent (Domino installer) automatically picks up the secret that you created and Istio uses the configured certificates.

In an existing Domino installation, you must restart all the pods.

Set up custom Certificate Authority (CA) certificates