Skip to content

TLS Certificate Usage

Stage: Alpha Status: Draft

Certificates generated by ironroot-client request-cert can be imported into Kubernetes as TLS Secrets.

kubectl create secret tls demo-local-tls \
  --cert=.localdev/certs/demo.local/tls.crt \
  --key=.localdev/certs/demo.local/tls.key \
  --namespace default

For ingress controllers that expect a full chain, use fullchain.crt where supported:

kubectl create secret generic demo-local-chain \
  --from-file=tls.crt=.localdev/certs/demo.local/fullchain.crt \
  --from-file=tls.key=.localdev/certs/demo.local/tls.key

Do not store the Root CA private key in Kubernetes. Only workload certificates, private workload keys, and public trust bundles belong in cluster Secrets or ConfigMaps.