Use an External Certificate Authority¶
You can customize MKE to use certificates signed by an External Certificate Authority (ECA). When using your own certificates, include a certificate bundle with the following:
ca.pem
file with the root CA public certificate.cert.pem
file with the server certificate and any intermediate CA public certificates. This certificate should also have Subject Alternative Names (SANs) for all addresses used to reach the MKE manager.key.pem
file with a server private key.
You can either use separate certificates for every manager node or one certificate for all managers. If you use separate certificates, you must use a common SAN throughout. For example, MKE permits the following on a three-node cluster:
node1.company.example.org
with the SANmke.company.org
node2.company.example.org
with the SANmke.company.org
node3.company.example.org
with the SANmke.company.org
If you use a single certificate for all manager nodes, MKE automatically copies the certificate files both to new manager nodes and to those promoted to a manager role.