Kuma ships with a builtin CA (Certificate Authority) which is initialized with an auto-generated root certificate. The root certificate is unique for every and it used to sign identity certificates for every data-plane.

    The mTLS feature is used for AuthN/Z as well: each data-plane is being assigned with a workload identity certificate, which is SPIFFE compatible. This certificate has a SAN set to spiffe://<mesh name>/<service name>. When Kuma enforces policies that require an identity, like TrafficPermission, it will extract the SAN from the client certificate and use it for every identity matching operation.

    On Universal:

    You can apply this configuration with kumactl apply -f [file-path].

    1. apiVersion: kuma.io/v1alpha1
    2. kind: Mesh
    3.   namespace: kuma-system
    5.   mtls:
    6.     enabled: true
    7.       builtin: {}

    You can apply this configuration with .

    Currently Kuma only support self-signed certificates (builtin). In the future we plan to add support for third-party Certificate Authorities.