|
|
|
|
|
|
by wyuenho
2899 days ago
|
|
|
This makes more sense, but I'm still confused by that self-signed bit. By master cert, if you mean that's your internal CA's cert that's distributed across every client and server as a part of your trust root, than this makes sense. If you are saying the master self-signed cert is served directly by the orchestration cluster, than this doesn't make sense, as the clients have no way of distinguishing one self-signed cert from another. |
|
|
The master (this is the self signed part) cert becomes part of the client certs by signing.
These client certs are now only valid with the original self signed cert.
It's essentially a CA, only for the client certificates. It just isn't formalized because it's never imported. you'd also lose the ability to rotate the certs quickly without gaining any security by importing this self signed certificate as a CA.