System Local CA IssuerΒΆ

At installation time, a ClusterIssuer named system-local-ca is created, intended to be the single root of trust for Platform Certificates, such that external clients, using Platform APIs, need only add a single Root CA public certificate in their list of trusted CAs for the purpose of validating Platform server certificates.

The Intermediate CA TLS cert and key are customizable during installation using bootstrap overrides, see Ansible Bootstrap Configurations. If the overrides are not provided, the issuer will be set to use the Kubernetes Root CA. The data is stored in a K8s TLS secret in namespace cert-manager, named system-local-ca.

In a Distributed Cloud System, by default, the subclouds are deployed with the same TLS cert and key in system-local-ca issuer as the SystemController.

This ClusterIssuer, during bootstrap, will automatically issue:

  • Local OpenLDAP certificate (in DC SystemController or Standalone controller).

  • REST API & Web Server certificate.

  • Docker Registry certificate.

The Root CA public certificate of system-local-ca can be retrieve with the following command trough the CLI:

$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode

You can also create other server certificates using this issuer and use it in you applications. These certificates will be renewed automatically by cert-manager. A snippet of how this can be included in a Kubernetes resource file (to be applied afterwards), for reference:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: <cert-name>
    namespace: <cert-namespace>
spec:
    secretName: <secret-name (where the cert will be stored) >
    dnsNames:
    - ...
    ipAddresses:
    - ...
    issuerRef:
        name: system-local-ca
        kind: ClusterIssuer

Note

In order to change or renew the system-local-ca Secret for signing, the update_platform_certificates.yml playbook MUST BE USED, see Update system-local-ca or Migrate Platform Certificates to use Cert Manager. This playbook will update the system-local-ca Secret and Issuer, re-sign all of the Platform Certificates using this issuer, and in a Distributed Cloud environment iterate through all of the Subclouds and do the same updates and re-signing on each Subcloud.