This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. Instructions are available here.

The included sample files are:

• root-cert.pem: root CA certificate.
• root-cert-alt.pem: alterative CA certificate.
• ca-[cert|key].pem: Citadel intermediate certificate and corresponding private key.
• ca-[cert-alt|key-alt].pem: alternative intermediate certificate and corresponding private key.
• cert-chain.pem: certificate trust chain.
• cert-chain-alt.pem: alternative certificate chain.
• workload-foo-[cert|key].pem: workload certificate and key for URI SAN spiffe://trust-domain-foo/ns/foo/sa/foo signed by ca-cert.key.
• workload-bar-[cert|key].pem: workload certificate and key for URI SAN spiffe://trust-domain-bar/ns/bar/sa/bar signed by ca-cert.key.

The workload cert and key are generated by:

 ./generate-workload.sh foo
 ./generate-workload.sh bar

To generate certs signed by the alternative root root-cert-alt.pem

./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root
./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root