> ## Documentation Index
> Fetch the complete documentation index at: https://docs.domino.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up custom Certificate Authority (CA) certificates

<Warning>
  When Domino deploys Istio mesh, out of the box, Istio provides scalable [identity and X.509 certificate management](https://istio.io/latest/docs/concepts/security/#pki) for use with mTLS encryption, including periodic certificate and key rotation.

  Because all encrypted communication is internal,  these certificates are not exposed or required for communication to any external services, such as web browsers and clients.

  Domino acknowledges that enterprise policies might mandate the use of corporate public key infrastructure (PKI) and necessitate the use of certificate authority (CA) certificates.
</Warning>

<Note>
  All certificates must be X.509 PEM format and  keys must be passwordless.
</Note>

1. Obtain the certificate files, noting the file names for use in future commands.

   | Filename         | Description                                                                     |
   | ---------------- | ------------------------------------------------------------------------------- |
   | `root-cert.pem`  | Root CA certificate for PKI.                                                    |
   | `ca-cert.pem`    | Intermediate CA certificate from root CA. This is the Istio CA certificate.     |
   | `ca-key.pem`     | Private key for Istio CA certificate.                                           |
   | `cert-chain.pem` | Full chain from `ca-cert.pem` to `root-cert.pem` (including both certificates). |

2. Use the code in the following sample.

   ```shell theme={null}
   # Concatenate all certificates into a certificate chain file
   # Assuming `N` intermediate certificates denoted as `int-ca-<i>.pem`, with `i = {1,...,N}`
   cat ca-cert.pem int-ca-1.pem ... int-ca-N.pem root-cert.pem > cert-chain.pem

   # Create new kubernetes secret with CA certificate files
   kubectl -n istio-system create secret generic cacerts
       --from-file=./ca-cert.pem
       --from-file=./ca-key.pem
       --from-file=./root-cert.pem
       --from-file=./cert-chain.pem
   ```

   In a new standard Domino install, if you follow the install process, the `fleetcommand-agent` (Domino installer) automatically picks up the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) that you created and Istio uses the configured certificates.

   In an existing Domino installation, you must restart all the pods.
