Generating your own mTLS root certificates

In order to support mTLS connections between meshedpods, Linkerd needs a trust anchor certificate andan issuer certificate with its corresponding key.

When installing with linkerd install, these certificates are automaticallygenerated. Alternatively, you can specify your own with the —identity-* flags(see the linkerd install reference).

On the other hand when using Helm to install Linkerd, it’s not possible toautomatically generate them and you’re required to provide them.

You can generate these certificates using a tool like openssl orstep. In this tutorial, we’ll walk you through howto to use the step CLI to do this.

Generating the certificates with step

First generate the root certificate with its private key (using step version0.10.1):

  1. step certificate create identity.linkerd.cluster.local ca.crt ca.key --profile root-ca --no-password --insecure

This generates the ca.crt and ca.key files. The ca.crt file is what youneed to pass to the —identity-trust-anchors-file option when installingLinkerd with the CLI, and the Identity.TrustAnchorsPEM value when installingLinkerd with Helm.

Note we use —no-password —insecure to avoid encrypting those files with apassphrase.

Then generate the intermediate certificate and key pair that will be used tosign the Linkerd proxies’ CSR.

  1. step certificate create identity.linkerd.cluster.local issuer.crt issuer.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 8760h --no-password --insecure

This will generate the issuer.crt and issuer.key files.

Passing the certificates to Linkerd

You can finally provide these files when installing Linkerd with the CLI:

  1. linkerd install \
  2.   --identity-trust-anchors-file ca.crt \
  3.   --identity-issuer-certificate-file issuer.crt \
  4.   --identity-issuer-key-file issuer.key \
  5.   --identity-issuance-lifetime 8760h \
  6.   | kubectl apply -f -

Or when installing with Helm:

  1. helm install \
  2.   --set-file Identity.TrustAnchorsPEM=ca.crt \
  3.   --set-file Identity.Issuer.TLS.CrtPEM=issuer.crt \
  4.   --set-file Identity.Issuer.TLS.KeyPEM=issuer.key \
  5.   --set Identity.Issuer.CrtExpiry=$(date -d '+8760 hour' +"%Y-%m-%dT%H:%M:%SZ") \
  6.   charts/linkerd2