A digital certificate contains information about the identity of a resource, such as a computer, database, or user. It's used to establish secure connections to remote resources and for encryption.
ArcGIS Enterprise on Kubernetes uses two types of digital certificates: identity certificates and trust certificates. Both can be imported using ArcGIS Enterprise Manager or theArcGIS Enterprise Administrator Directory. You can use ArcGIS Enterprise Manager to view, assign, and remove certificates.
An identity certificate contains a public key, a private key, and information about the owner and the issuer of the certificate. This is typically stored in PKCS12 format (.pfx or .p12 file). The common use case of an identity certificate is on a web server. ArcGIS Enterprise uses identity certificates in its web servers to allow clients to connect to ArcGIS Enterprise securely. When a client, such as a web browser, attempts to communicate with a web server, the web server sends the public portion of the identity certificate to the client. The client must validate the certificate and ensure that the remote computer is trustworthy before sending information to it. That trust is established through trust certificates.
During deployment, your organization must provide or generate an identity certificate. This certificate remains in use, assigned to secure your ingress controller, unless you assign a new identity certificate in its place. You can use ArcGIS Enterprise Manager to import and assign identity certificates. At this release, only one identity certificate can be used at a time, and the only component it can be assigned to is the ingress controller.
You can also import identity certificates that are contained in TLS secrets using the Kubernetes cert-manager program.
A trust certificate contains information about a certificate issuer or certificate authority. This is typically stored in PEM format (.cer or .crt file) or the binary .der file format. Organizations called certificate authorities (CAs) sign certificates indicating that they have verified the identity of the web server and the organization operating the web server. These CAs have their own certificates, which are broadly distributed and trusted by web browsers, operating systems, and client applications. Trust certificates help a client determine whether a particular web server is trustworthy. Providing ArcGIS Enterprise trust certificates ensures that when ArcGIS Enterprise connects to remote computers, it can determine whether the remote computer is trustworthy.