Specifying your own certificate for IBM Cloud Private services

Provide your own certificate to use for authentication of the Image Manager (Docker Registry) and IBM® Cloud Private management ingress.

You can BYOK (Bring Your Own Key) to use inside your IBM Cloud Private cluster. Your BYOK certificate key must be exported in PEM (OpenSSL) format. In the subject alternate name (SAN) of your certificate, you must include the CA domain parameter name. Complete the following steps to use an existing certificate.

1. Create the cfc-certs/router directory inside your cluster directory:

   mkdir -p <installation_dir>/cluster/cfc-certs/router
   

2. Rename your existing BYOK to icp-router.key, and copy the key file to the installation directory:

   mv <BYOK_location>/<BYOK>  icp-router.key
   cp icp-router.key <installation_dir>/cluster/cfc-certs/router/
   

3. Rename your existing certificate for your BYOK to icp-router.crt, and copy the certificate file to the installation directory:

   mv <BYOK_location>/<BYOK_cert>  icp-router.crt
   cp icp-router.crt <installation_dir>/cluster/cfc-certs/router/
   

4. Set the CA domain parameter in the <installation_dir>/cluster/config.yaml file to the CN name of your BYOK:

   cluster_CA_domain: <cn_name_BYOK>
   

5. Install your cluster.