Use an External Certificate Authority¶
You can customize MKE to use certificates signed by an External Certificate Authority (ECA). When using your own certificates, include a certificate bundle with the following:
ca.pemfile with the root CA public certificate.
cert.pemfile with the server certificate and any intermediate CA public certificates. This certificate should also have Subject Alternative Names (SANs) for all addresses used to reach the MKE manager.
key.pemfile with a server private key.
You can either use separate certificates for every manager node or one certificate for all managers. If you use separate certificates, you must use a common SAN throughout. For example, MKE permits the following on a three-node cluster:
node1.company.example.orgwith the SAN
node2.company.example.orgwith the SAN
node3.company.example.orgwith the SAN
If you use a single certificate for all manager nodes, MKE automatically copies the certificate files both to new manager nodes and to those promoted to a manager role.