Set up custom Certificate Authority (CA) certificates

Important

When Domino deploys Istio mesh, out of the box, Istio provides scalable identity and X.509 certificate management for use with mTLS encryption, including periodic certificate and key rotation.

Because all encrypted communication is internal,

these certificates are not exposed or required for communication to any external services, such as web browsers and clients.

Domino acknowledges that enterprise policies might mandate the use of corporate public key infrastructure (PKI) and necessitate the use of certificate authority (CA) certificates.

Note
All certificates must be X.509 PEM format and
keys must be passwordless.

  1. Obtain the certificate files, noting the file names for use in future commands.

    FilenameDescription

    root-cert.pem

    Root CA certificate for PKI.

    ca-cert.pem

    Intermediate CA certificate from root CA. This is the Istio CA certificate.

    ca-key.pem

    Private key for Istio CA certificate.

    cert-chain.pem

    Full chain from ca-cert.pem to root-cert.pem

    (including both certificates).

  2. Use the code in the following sample.

    # Concatenate all certificates into a certificate chain file
# Assuming `N` intermediate certificates denoted as `int-ca-<i>.pem`, with `i = {1,...,N}`
cat ca-cert.pem int-ca-1.pem ... int-ca-N.pem root-cert.pem > cert-chain.pem

# Create new kubernetes secret with CA certificate files
kubectl -n istio-system create secret generic cacerts
    --from-file=./ca-cert.pem
    --from-file=./ca-key.pem
    --from-file=./root-cert.pem
    --from-file=./cert-chain.pem

    In a new standard Domino install, if you follow the install process, the fleetcommand-agent (Domino installer) automatically picks up the secret that you created and Istio uses the configured certificates.

    In an existing Domino installation, you must restart all the pods.