Issuers in Distributed Cloud

In a Distributed Cloud environment, end-user’s applications have a number of options for the cert-manager ISSUERs they use:

• (Recommended) As part of your application deployment on each subcloud, create a cert-manager ISSUER for the External CA that you wish to use for signing your certificates.

  • The External CA-type ISSUER is configured exactly the same way for each of your application deployments on each subcloud, and

  • Your external clients need only trust a single External CA’s public certificate.

• As part of your application deployment on each subcloud, create a local internal RootCA ca ISSUER for signing your certificates.

  • The local internal RootCA ca ISSUER should ideally be slightly different (e.g. a unique subject) on each deployment, and

  • Your external clients need to trust each application deployment’s (on each subcloud) local internal RootCA public certificate.

  • This option is not ideal since this could mean 100s of RootCA Certificates.