If you are using a private certificate authority (CA), you must configure SystemLink Enterprise to use the private CA to establish trust.

Note A full description of Transport Layer Security (TLS), Public Key Infrastructure (PKI) certificates, and CA is beyond the scope of this User Manual. This topic assumes that you have prior knowledge of these concepts and access to valid certificates.
You might be using a private CA for the following activities.
  • Signing certificates used for SystemLink Enterprise TLS termination.

    The public certificate chain used for TLS termination at the API ingress must be deployed as a secret to the Kubernetes namespace for SystemLink Enterprise. Deploying the public certificate chain allows SystemLink Enterprise to do the following:

    • Call SystemLink APIs. For example, you run a Jupyter Notebook that calls the Test Monitor API.
    • Automatically deploy the private CA bundle to testers that you connect.
  • Use TLS for communication to external dependencies of SystemLink Enterprise. External dependencies can include MongoDB, PostgreSQL, and so on.

    The public certificate chain must be referenced in global.trustedCertificatesSecrets so SystemLink Enterprise services can add this trust chain to their container root trust store.

Configuring Private Certificate Authorities

Deploy a copy of the public certificate trust chain for the private CA before deploying SystemLink Enterprise.

Before you begin, get the public certificate trust chain for the private certificate authority. Only use a certificate from a trusted source.
To configure SystemLink Enterprise to access endpoints that use certificates signed by a private CA, complete the following steps.
  1. Deploy the public CA as a Kubernetes secret in the same namespace used by SystemLink Enterprise.
    Refer to the following example.
    kubectl --namespace namespace create secret generic my-ca-certificate --from-file=cert=path/to/my-ca.crt
  2. Open systemlink-values.yaml.
  3. Set the global.trustedCertificatesSecrets secret. Refer to the following example. 
     
    trustedCertificatesSecrets: 
   - secretName: "my-ca-certificate" 
     key: "certificate"
    Configuring global.trustedCertificatesSecrets allows SystemLink Enterprise to establish trust with the CA and communicate with resources that are secured with TLS.
  4. Optional: Configure your clients to trust the CA so the clients can communicate with SystemLink Enterprise.
    1. Set the global.apiHostCertificateSecret secret. 
          apiHostCertificateSecret: 
   - secretName: "my-ca-certificate" 
     key: "certificate"
    2. Set global.deployApiHostCertificateToSystems to true.
  5. Save and close systemlink-values.yaml.
  6. To deploy the new configuration, run the Helm upgrade command.
SystemLink Enterprise deploys these trusted certificates to all managed systems.