Adding API server certificates

The default API server certificate is issued by an internal OKD cluster CA. You can add one or more alternative certificates that the API server will return based on the fully qualified domain name (FQDN) requested by the client, for example when a reverse proxy or load balancer is used.

Prerequisites

You must have a certificate for the FQDN and its corresponding private key. Each should be in a separate PEM format file.
The certificate must include the extension showing the FQDN.
The certificate file can contain one or more certificates in a chain. The certificate for the API server FQDN must be the first certificate in the file. It can then be followed with any intermediate certificates, and the file should end with the root CA certificate.

Update the API server to reference the created secret.

1 Replace with the FQDN that the API server should provide the certificate for.
2 Replace <secret> with the name used for the secret in the previous step.
Examine the apiserver/cluster object and confirm the secret is now referenced.

1	Replace with the FQDN that the API server should provide the certificate for.
2	Replace `<secret>` with the name used for the secret in the previous step.