During installation, PKI Hub generates an insecure self-signed certificate for securing communications with Grafana, the Management Console, and the solution services. You must replace this certificate before running PKI Hub in a production environment.
TLS certificate fields
Use the following fields to set the PKI Hub hostname or IP address in the TLS certificate.
- Subject Alternative Name (SAN) extension.
- The Common Name (CN) field of the certificate subject.
When both fields are present, the Subject Common Name is ignored.
TLS certificate algorithms
Generate the PKI Hub TLS key pair using one of the following algorithms.
- RSA 2048 bits
- RSA 3072 bits
- RSA 4096 bits
- ECDSA curve NIST P-256
Issuing the TLS certificate
Issue the PKI Hub TLS certificate using your corporate PKI.
Installing the TLS certificate
Run the clusterctl certificate command to install the PKI Hub TLS certificate.
When running PKI Hub in high availability, also install the TLS certificate in the load balancer.
Reusing as CA Gateway TLS certificate
If the CA Gateway solution is deployed, you can use the same TLS certificate for PKI Hub and CA Gateway.
See Configuring and deploying CA Gateway for selecting this TLS certificate in CA Gateway.