This section is required only if the Kubernetes cluster that will host Cert-manager.io will use a trusted HTTPS connection to connect to Certificate Enrollment. If you will not use a trusted HTTPS connection, you can skip this section. You must complete this step before deploying the Kubernetes cluster.

To configure Linux to trust a CA certificate chain, complete the following steps.

To configure Linux to trust a CA certificate chain

  1. Transfer Certificate Enrollment Gateway's trust certificate chain (from the issuing CA certificate to the root CA certificate) to the Linux server that will host Cert-manager.io. The certificate files must be in PEM format.
  2. Log in to the Linux server that will host Cert-manager.io.

  3. Copy the certificates (trust chain) into the following directory:

    /etc/pki/ca-trust/source/anchors

  4. Enter the following command to update the file permissions for ca-bundle.crt so everyone can read the file:

    sudo chmod +r ./ca-bundle.crt

  5. Run the following command to update the ca-bundle.crt file at the operating system level:

    sudo update-ca-trust extract

  6. Verify that the certificates were added to the following file:

    /etc/pki/tls/certs/ca-bundle.crt