Generating your own mTLS root certificates

When installing with linkerd install, these certificates are automatically generated. Alternatively, you can specify your own with the --identity-* flags (see the linkerd install reference).

On the other hand when using Helm to install Linkerd, it’s not possible to automatically generate them and you’re required to provide them.

You can generate these certificates using a tool like openssl or . All certificates must use the ECDSA P-256 algorithm which is the default for step. To generate ECDSA P-256 certificates with openssl, you can use the openssl ecparam -name prime256v1 command. In this tutorial, we’ll walk you through how to to use the step CLI to do this.

This generates the ca.crt and ca.key files. The ca.crt file is what you need to pass to the --identity-trust-anchors-file option when installing Linkerd with the CLI, and the value when installing Linkerd with Helm.

Note we use --no-password --insecure to avoid encrypting those files with a passphrase.

For a longer-lived trust anchor certificate, pass the --not-after argument to the step command with the desired value (e.g. --not-after=87600h).

Issuer certificate and key

This will generate the issuer.crt and issuer.key files.

Passing the certificates to Linkerd

You can finally provide these files when installing Linkerd with the CLI:

Or when installing with Helm:

For Helm versions < v3, flag has to specifically be passed. In Helm v3, It has been deprecated, and is the first argument as specified above.