In correlation with the end of life (EOL) for MKE 3.4.x, maintenance of this documentation set was discontinued as of 2023-APR-11. Click here for the latest MKE 3.x version documentation.

Use an External Certificate Authority

You can customize MKE to use certificates signed by an External Certificate Authority (ECA). When using your own certificates, include a certificate bundle with the following:

• ca.pem file with the root CA public certificate.

• cert.pem file with the server certificate and any intermediate CA public certificates. This certificate should also have Subject Alternative Names (SANs) for all addresses used to reach the MKE manager.

• key.pem file with a server private key.

You can either use separate certificates for every manager node or one certificate for all managers. If you use separate certificates, you must use a common SAN throughout. For example, MKE permits the following on a three-node cluster:

• node1.company.example.org with the SAN mke.company.org

• node2.company.example.org with the SAN mke.company.org

• node3.company.example.org with the SAN mke.company.org

If you use a single certificate for all manager nodes, MKE automatically copies the certificate files both to new manager nodes and to those promoted to a manager role.