During installation, PKI Hub generates an insecure self-signed certificate for securing communications with Grafana, the Management Console, and the solution services. You must replace this certificate before running PKI Hub in a production environment.
TLS certificate fields
The TLS certificate fields must contain the following mandatory values.
Value | Field | Mandatory |
|---|---|---|
The hostname or IP address of the PKI Hub | Common Name (CN) field of the certificate subject or Subject Alternative Name (SAN) extension. When both are present, the SAN takes precedence. | Always |
The hostname or IP address of the issuing certificate authority | Subject Alternative Name (SAN) extension | When deploying the Certificate Authority solution |
TLS certificate algorithms
Generate the PKI Hub TLS key pair using one of the following algorithms.
- RSA 2048 bits
- RSA 3072 bits
- RSA 4096 bits
- ECDSA curve NIST P-256
- ECDSA curve NIST P-384
- ECDSA curve NIST P-521
Issuing the TLS certificate
Issue the PKI Hub TLS certificate using your corporate PKI.
Installing the TLS certificate
Run the clusterctl certificate command to install the PKI Hub TLS certificate.
When running PKI Hub in high availability, also install the TLS certificate in the load balancer.
Reusing as CA Gateway TLS certificate
If the CA Gateway solution is deployed, you can use the same TLS certificate for PKI Hub and CA Gateway.
See Configuring and deploying CA Gateway for selecting this TLS certificate in CA Gateway.