External CA and Intermediate Certificates

[trunet]

Dear Talos Community, hope everybody is ok. After years of using talos for personal and freelancer stuff, I'm considering talos for a new k8s infrastructure at my current full-time employer.

One of the requirements is to have an External Root CA. It can issue an intermediate and its key to be used.

How to achieve that?

Trying to answer my own question, checking https://www.talos.dev/v1.7/reference/configuration/v1alpha1/config/, I noticed the ca which require Certificate and Key and acceptedCAs. Should I add the Root CA certificate to acceptedCAs and the intermediate crt and key to ca? Or should I add the intermediate and the root to a "chain" file and use the chain on ca?

[smira]

Please see #8866 - is it the same question?

You can replace the Kubernetes CA in the secrets.yaml after talosctl gen secrets and try to use your own CA.