Issuers in Distributed Cloud¶
In a Distributed Cloud environment, end-user’s applications have a number of options for the cert-manager ISSUERs they use:
(Recommended) As part of your application deployment on each subcloud, create a cert-manager ISSUER for the External CA that you wish to use for signing your certificates.
The External CA-type ISSUER is configured exactly the same way for each of your application deployments on each subcloud, and
Your external clients need only trust a single External CA’s public certificate.
As part of your application deployment on each subcloud, create a local internal RootCA
caISSUER for signing your certificates.
The local internal RootCA
caISSUER should ideally be slightly different (e.g. a unique subject) on each deployment, and
Your external clients need to trust each application deployment’s (on each subcloud) local internal RootCA public certificate.
This option is not ideal since this could mean 100s of RootCA Certificates.