Private Certificate Authorities
- Updated2026-05-14
- 2 minute(s) read
If you are using a private certificate authority (CA), you must configure SystemLink Enterprise to use the private CA to establish trust.
- Signing certificates used for SystemLink Enterprise TLS
termination.
The public certificate chain used for TLS termination at the API ingress must be deployed as a secret to the Kubernetes namespace for SystemLink Enterprise. Deploying the public certificate chain allows SystemLink Enterprise to do the following:
- Call SystemLink APIs. For example, you run a Jupyter Notebook that calls the Test Monitor API.
- Automatically deploy the private CA bundle to testers that you connect.
- Use TLS for communication to external dependencies of SystemLink Enterprise. External dependencies can include
MongoDB, PostgreSQL, and so on.
The public certificate chain must be referenced in global.trustedCertificatesSecrets. This reference enables SystemLink Enterprise services to add this trust chain to their container root trust store.
Configuring Private Certificate Authorities
To configure SystemLink Enterprise to access endpoints that use certificates signed by a private CA, deploy the public certificate trust chain as a Kubernetes secret and configure the trust chain in your systemlink-values.yaml file.
- Deploy the CA certificate as a Kubernetes
secret:
kubectl --namespace <namespace> create secret generic my-ca-certificate --from-file=cert=path/to/my-ca.crt
- Configure trusted certificates in
systemlink-values.yaml:
global: trustedCertificatesSecrets: - secretName: "my-ca-certificate" key: "certificate"Table 50. Trusted Certificate Parameters Parameter Description global.trustedCertificatesSecrets.secretName Name of the Kubernetes secret containing the CA certificate. global.trustedCertificatesSecrets.key Key name for the certificate within the secret. Configuring global.trustedCertificatesSecrets allows SystemLink Enterprise to establish trust with the CA and communicate with resources that are secured with TLS.
- (Optional) Deploy CA certificate to client systems:To automatically deploy the private CA bundle to systems managed by SystemLink Enterprise, configure the following parameters:
global: apiHostCertificateSecret: - secretName: "my-ca-certificate" key: "certificate" deployApiHostCertificateToSystems: trueTable 51. Deployment Parameters Parameter Description global.apiHostCertificateSecret.secretName Name of the Kubernetes secret containing the CA certificate. global.apiHostCertificateSecret.key Key name for the certificate within the secret. global.deployApiHostCertificateToSystems Set to true to automatically deploy the CA certificate to all systems managed by SystemLink Enterprise. This allows clients to trust the CA and communicate with SystemLink Enterprise. After modifying systemlink-values.yaml, apply the configuration changes using the Helm upgrade command.
Related Information
- Preparing to Host and Operate SystemLink Enterprise
Before installing SystemLink Enterprise, ensure that the following network, compute, storage, and security infrastructure is in place.
- Validating the Install
Test that SystemLink Enterprise installed correctly.
- DNS and Network Security Considerations
SystemLink Enterprise is hosted in a Kubernetes cluster. SystemLink Enterprise connects to test systems to aggregate data for monitoring and analysis.
- systemlink-values.yaml
- Helm Upgrade
- AWS VPC
A Virtual Private Cloud (VPC) is an isolated network environment within AWS.
- Azure VNet
An Azure Virtual Network (VNet) is an isolated network environment within Azure.
- Internet Facing Clusters
Enter a short description of your concept here (optional).
- Corporate Network Connected Clusters
A corporate network connected cluster deployment integrates SystemLink with your the private network infrastructure of your organization, ensuring secure access and secure integration with on-premises systems.