Idea #18338
open"arvados-server init" can use a local root CA to sign certificates
Description
When running "arvados-server init" the operator should have the option1 to generate a root CA, use it to sign TLS certificates for all Arvados web services that use TLS, and make the root CA certificate available so users can configure their browsers / command line tools to trust it.
arvados-server init
may provide the option, but arvados-server boot
should implement the certificate handling. It will be common for users to migrate to/from Let's Encrypt or some other trusted CA, and this will be done by updating config.yml, not by running init
again.
Currently "arvados-server boot" uses a local root CA to sign certificates, but the root CA does not persist after a restart, and there is no documented/easy way for users to get the root certificate.
1 This should be the default behavior if no other certificate strategy is selected/available.
Related issues