Getting Started with Distributed Issuer
To use Distributed Issuer, you first complete pre-installation tasks in the Next-Gen Trust Security user interface, then install the application to a Kubernetes cluster or Linux host. Once installation is complete, you use gRPC or REST APIs to request certificates.
This topic outlines the complete setup process, including tasks performed in Next-Gen Trust Security and tasks performed on the command line when installing Distributed Issuer.
Prerequisites
To create Sub CA providers and policies and share resources with child tenants, a parent Tenant Service Group account.
In Next-Gen Trust Security, a Superuser user role.
Complete Pre-Installation Tasks
Before installation, complete the following tasks in Next-Gen Trust Security.
Connect a CA account such as Zero Touch PKI or Microsoft AD CS. The CA account determines which CA issues Distributed Issuer's subordinate CA certificate. See
About CA Accounts.
Add a subordinate CA provider to define the properties of Distributed Issuer's own CA certificate—such as validity period, key algorithm, and subject fields—and link it to the CA account that will sign it. Distributed Issuer uses this certificate to issue certificates to workloads. See
Add Subordinate CA Providers.
Create a policy to set rules for the certificates that Distributed Issuer issues to workloads, including allowed key algorithms, certificate validity, subject fields, and key usage. See
Add Policies.
Create a configuration to tie together your Subordinate CA provider, policies, and client settings into a runtime configuration that Distributed Issuer downloads when it starts. See
Add Configurations.
Install Distributed Issuer
Once configuration is complete, install Distributed Issuer.
Note: Installation is CLI-based and requires access to your Kubernetes cluster or Linux host. The following topics are on the
NGTS developer documentation site, which focuses on developer and DevOps tasks.
What's Next?
Once Distributed Issuer is installed:
