BYO server and client certificates
Bring your own server and client TLS certificates and manage the TLS certificate lifecycle yourself.
Instead of using Gloo Gateway self-signed certificates for the root CA certificate, you can generate your own relay root and intermediate CA certificates and keys with the certificate management tool of your choice. You then use the intermediate CA credentials to create the server TLS certificate for the Gloo management server and the client TLS certificate for the Gloo agent. Because the intermediate CA credentials are stored outside the cluster, you cannot leverage the built-in client TLS certificate rotation capability in Gloo Gateway. Instead, you use your own processes and tools to monitor the expiration and rotate all of your certificates.
For more information about this approach, see Bring your own CAs and client TLS certificates .
Choose between the following options:
-
OpenSSL: Create your certificates by using OpenSSL and manually provide them to your Gloo management server and agent.
-
AWS: Check out an example for how to generate your own relay certificates by using the AWS Private CA.
-
Vault: Check out an example for how to use Vault to manage the lifecycle of relay certificates.