If you want Tanzu Service Mesh to integrate with an external service that uses self-signed certificates, you must upload the associated certificate chain or certificate authority (CA) bundle to Tanzu Service Mesh so that Tanzu Service Mesh can trust that external service's certificates.

A common scenario for uploading a certificate chain is when you need to integrate with an external CA service, and that CA service issues certificates signed not by a publicly trusted CA, but by an internal CA. In that case, you must upload the CA's certificate chain to Tanzu Service Mesh and then reference the certificate chain in the CA integration account. This way, Tanzu Service Mesh will trust the certificates signed by the CA.

For example, you may want to integrate with Vault CA so that the services in your service mesh can make authenticated and encrypted connections to each other by using mutual TLS (mTLS) certificates generated by Vault CA. Since certificates issued by a Vault server are signed by an internal CA, you must upload the CA bundle in use by the server to Tanzu Service Mesh and then reference the CA bundle in the appropriate Vault CA integration account. During onboarding, if you associate a cluster with the Vault CA integration, the root and intermediate certificates from the CA bundle will be imported into the cluster's trust store, and the cluster will use these CA certificates to make trusted HTTPS connections to the Vault server and trust the mTLS certificates provided by the server. For more information about Vault integration, see Create a Vault CA Integration Account.

  • Certificate chains and CA bundles that you upload to Tanzu Service Mesh are different from transport layer security (TLS) certificates that you upload to Tanzu Service Mesh. Those certificates are used in different situations where secure inbound connections need to be established to services in your service mesh. For example, certificates are used to establish secure communications between clients and public services in Tanzu Service Mesh. For more information about uploading certificates to Tanzu Service Mesh, see Add Certificates.

  • For simplicity, the following procedure refers only to certificate chains, but the information applies to both certificate chains and CA bundles.


  • Verify that you are familiar with public-key infrastructure (PKI) concepts certificate chain, certificate authority (CA), self-signed certificate, CA bundle, root certificate, and intermediate certificate.

  • Know the location of the certificate chain file that you want to add. The file must be in PEM (.pem) format.

  • Verify that the certificate chain file contains a maximum of three certificates, including only one root certificate and a maximum of two intermediate certificates. Certificate chain files containing a larger number of certificates cannot be uploaded.

  • Access the Tanzu Service Mesh Console.


  1. In the navigation pane on the left, click Admin > Keys & Certificates.
  2. On the Keys & Certificates page, click the Certificate Chains tab.
  3. Click New Certificate Chain.
  4. In the New Certificate Authority Chain dialog box, provide the following information about the certificate chain.
    • Name. Enter a unique name for the certificate chain in Tanzu Service Mesh. Use a name that will help identify the file when you reference it in a CA integration account.

    • Description. Enter an optional description.

    • Certificate Chain. Click Select .PEM file and browse to the certificate chain file that you want to upload.

  5. Click Save.


A row for the new certificate chain is added to the table on the Certificate Chains tab.

What to do next

To view the fields for each certificate in an uploaded certificate chain, click the certificate chain name in the table. The fields of the root certificate appear at the top of the certificate chain details page, followed by the fields of each subsequent intermediate certificate in the chain. The fields of the server certificate appear last.

As an example, the following fields are displayed for the root certificate:

  • Certificate Info

  • Not Valid Before

  • Not Valid After

  • Common Name

  • Organization

  • Organizational Unit

  • Serial Number

  • SHA-1 Fingerprint

  • SHA-256 Fingerprint

  • Signature Algorithm

  • Issuer

  • Subject

  • Public Key Algorithm

  • Public Key Length

  • If no value appears next to a field, that field was not found in the certificate chain file.

  • The Certificate Info field indicates the type of certificate in the certificate chain, for example, Root CA Certificate.

You can edit a certificate chain record to upload a different certificate chain file into the record or to edit the description of the certificate chain. To edit:

  1. On the Certificate Chains tab, click the certificate chain name in the table.

  2. On the certificate chain details page, click Edit Certificate Chain.

  3. In the Edit Certificate Authority Chain dialog box, make the changes you want and click Save.