Add a Certificate to Tanzu Service Mesh Using the CLI

Using the Tanzu Service Mesh CLI, you can add transport layer security (TLS) certificates to Tanzu Service Mesh for use in different situations where secure, TLS-encrypted connections are needed.

You must use a TLS certificate for a public service that is exposed at an HTTPS URL. In this case, you must include the name of the certificate in the public service configuration to ensure secure HTTPS connections to the service.

To add a certificate to Tanzu Service Mesh, you must retrieve the template for a certificate manifest from the Tanzu Service Mesh API and then provide values for the fields in the manifest, including the public certificate and private key strings. As a final step, you must apply the resulting certificate manifest to your tenant in Tanzu Service Mesh.

Prerequisites

Verify that you are familiar with public-key infrastructure (PKI) concepts certificate, private key, certificate authority (CA), and certificate chain.
You have a public certificate and a private key from a trusted certificate authority (CA) and know the location of the certificate and private key files. The certificate file must be in PEM (.pem) format. The private key file must be in PEM or KEY (.key) format.

Note:

You can also add a self-signed certificate to Tanzu Service Mesh, such as one that you can generate by using the OpenSSL toolkit. Instructions on generating a self-signed certificate are out of scope of this documentation.

To ensure that the certificate works correctly, verify that the common name (CN) on the certificate is the same as the domain specified in the configuration of a public service. For more information about creating public services with the Tanzu Service Mesh CLI, see Create a Public Service Using the CLI.
Install the CLI.
Log in to the Tanzu Service Mesh CLI.
Be familiar with the Kubernetes YAML manifest format.

Procedure

Retrieve the certificate manifest template:
```
tanzu sm get spec certificates
```

Provide values for the following fields in the manifest:


Field	Description
`projectId`	The associated Tanzu Service Mesh project. Set this field to `default`.
`name` (in `metadata` and `spec`)	The name of the certificate. Provide a friendly name to help identify the certificate in the Tanzu Service Mesh Console. The name can contain only alphanumeric characters and underscores (_) and cannot contain numbers and special characters, such as, hyphens (-), ampersands (&), and pound signs (#). The name must contain a minimum of 2 characters and a maximum of 1,024 characters.
`certificateType`	Set to `UnmanagedCertificate`.
`description`	An optional description of the certificate. If you don’t want to provide a description, set this field to an empty string (“”).
`managedCertificate`	Configurations of internally managed certificates. Remove this field and the nested fields.
`unManagedCertificate`	Configurations of externally managed certificates.
`cert_chain`	Optional field. Insert the contents of the CA certificate chain file. If you don't have a certificate chain file from your CA, remove this field.
`private_key`	Insert the private key string from the private key file, including the `-----BEGIN PRIVATE KEY-----` and `-----END PRIVATE KEY-----` statements.
`signed_certificate`	Insert the public certificate string from the public certificate file, including `---- BEGIN CERTIFICATE----` and `----END CERTIFICATE----` statements.

Apply the certificate manifest YAML file:

tanzu sm apply -f {file-name.yaml}

The output contains a message that the specified certificate was created.

What to do next

The new certificate is added to the Keys & Certificates page in the Tanzu Service Mesh Console. To view the certificate, perform the following steps:

Access the Tanzu Service Mesh Console.
In the navigation pane on the left, click Admin > Keys & Certificates.
On the Keys & Certificates page, in the table on the Keys & Certificates tab, view the details of the certificate.