Trust CA certificates of TLS Providers

In the Juju ecosystem, multiple TLS providers can be used to issue certificates for applications and units.

• self-signed-certificates
• vault
• lego
• manual-tls-certificates

In some cases, the CA certificates used by these providers are self-signed. This means that the certificates they issue will not be trusted by default by other applications or clients unless the CA is explicitly trusted.

Best Practices for Production Deployments

• Internal Communication (Unit-to-Unit) As described in the internal communication guide, self-signed-certificates can be used to secure intra-application traffic. In this case:
  • Each unit of an application receives the CA certificate as part of the relation data from the tls-certificates integration.
  • The CA is the direct issuer of the application’s leaf certificate.
  • Trusting this CA is sufficient to establish trust in the leaf certificates.
• API Communication For more complex deployments that secure API communication, client applications should trust the CA directly from the CA provider, not from the application.
  • The CA certificate can be obtained by integrating with the provider over the certificates-transfer interface.
  • When the provider uses intermediate CA, it is recommended to trust the provider with the root CA (or the highest CA in the hierarchy). However this is not mandatory.