Generating your own mTLS root certificates
In order to support mTLS connections between meshed pods, Linkerd needs a trust anchor certificate and an issuer certificate with its corresponding key.
When installing with linkerd install
, these certificates are automatically generated. Alternatively, you can specify your own with the --identity-*
flags (see the linkerd install reference).
On the other hand when using Helm to install Linkerd, it’s not possible to automatically generate them and you’re required to provide them.
You can generate these certificates using a tool like openssl or step. All certificates must use the ECDSA P-256 algorithm which is the default for step
. To generate ECDSA P-256 certificates with openssl, you can use the openssl ecparam -name prime256v1
command. In this tutorial, we’ll walk you through how to to use the step
CLI to do this.
Linkerd Production Tip
This page contains best-effort instructions by the open source community. Production users with mission-critical applications should familiarize themselves with Linkerd production resources and/or connect with a commercial Linkerd provider.
Generating the certificates with step
Trust anchor certificate
First generate the root certificate with its private key (using step
version 0.10.1):
step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure
This generates the ca.crt
and ca.key
files. The ca.crt
file is what you need to pass to the --identity-trust-anchors-file
option when installing Linkerd with the CLI, and the identityTrustAnchorsPEM
value when installing the linkerd-control-plane
chart with Helm.
Note we use --no-password --insecure
to avoid encrypting those files with a passphrase.
For a longer-lived trust anchor certificate, pass the --not-after
argument to the step command with the desired value (e.g. --not-after=87600h
).
Issuer certificate and key
Then generate the intermediate certificate and key pair that will be used to sign the Linkerd proxies’ CSR.
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 8760h --no-password --insecure \
--ca ca.crt --ca-key ca.key
This will generate the issuer.crt
and issuer.key
files.
Passing the certificates to Linkerd
You can finally provide these files when installing Linkerd with the CLI:
# first, install the Linkerd CRDs
linkerd install --crds | kubectl apply -f -
# install the Linkerd control plane, with the certificates we just generated.
linkerd install \
--identity-trust-anchors-file ca.crt \
--identity-issuer-certificate-file issuer.crt \
--identity-issuer-key-file issuer.key \
| kubectl apply -f -
Or when installing with Helm, first install the linkerd-crds
chart:
helm install linkerd-crds linkerd/linkerd-crds -n linkerd --create-namespace
Then install the linkerd-control-plane
chart:
helm install linkerd-control-plane -n linkerd \
--set-file identityTrustAnchorsPEM=ca.crt \
--set-file identity.issuer.tls.crtPEM=issuer.crt \
--set-file identity.issuer.tls.keyPEM=issuer.key \
linkerd/linkerd-control-plane