How do you manage the distribution of internal TLS network certificates? I’m using cert-manager to generate them, but the root self-signed certificate expires monthly which makes distribution to devices outside of K8s a challenge. It’s a PITA to keep doing this for the tablet, laptop and phones. I can bump the root cert to a year, but I’m concerned that the date will sneak up on me. Are there any automated solutions?
For most of my internal services that are sitting behind Traefik I use step-ca which basically gives you a Let’s Encrypt style certificate while working over the local network. The root CA has a long expiry (so might not be what you want if your goal Is a short lived root CA) but the actual certificates for each service are short lived (a touch over 24 hours from memory?)
I tried step-ca to start with, but my primary use case was for certs in the cluster, which cert-manager is more suited for natively. Maybe step-ca has improved, I was using it in the early days. My goal isn’t a short lived cert as much as it is to have an easy configuration and to learn.