Generating your own mTLS root certificates

When installing with , these certificates are automaticallygenerated. Alternatively, you can specify your own with the —identity-* flags(see the linkerd install reference).

On the other hand when using Helm to install Linkerd, it’s not possible toautomatically generate them and you’re required to provide them.

First generate the root certificate with its private key (using step version0.10.1):

This generates the and ca.key files. The ca.crt file is what youneed to pass to the —identity-trust-anchors-file option when installingLinkerd with the CLI, and the value when installingLinkerd with Helm.

Then generate the intermediate certificate and key pair that will be used tosign the Linkerd proxies’ CSR.

This will generate the issuer.crt and issuer.key files.

Passing the certificates to Linkerd

Or when installing with Helm: