Hybrid Ingress Self signed Cert Walkthrough
We are going to visit all stops on creating and configuring self-signed certificates for Istio Ingress configuration.
As usual, we also will refresh and collect here useful troubleshooting commands.
In a generic case, there is a CA root key that is used generate a ca authority certificate. The ca key is used to sign an intermediate certificate request to produce an intermediate certificate and there is an intermediate key that was used to generate an intermediate certificate authority request, that is used to sign a leaf certificate request that was signed by a leaf key, that is used to sign a certificate request to generate a leaf certificate. The ca, intermediate, and leaf certificates comprise a trust chain that is used to validate the certificate. Self-signed certificates do not change the mechanics of PKI framework. They merely make CA root certificate configuration step explicit.
If the sentence above sounds like a mouthful and feels complex, that because, without some investment and practice, it is. Keep reading on PKI until you can easily explain it to a colleague during an office party.
In practice, in many cases it makes sense to cut some corners and generate a single self-signed certificate that would be used as both, ca root certificate, and the trust chain.
If not configured correctly, your certificate will be rejected. Stackoverflow is full of advice to use -k to 'solve' this problem. Don't! The ignorance is never a good solution, especially in matters of security.
The problem is that nowadays there are some security-related predicates and conditions that need to be satisfied before you can add --cafile option and drop -k option.
Originally, a simple openssl command was needed to create a certificate you were able to trust and use. As the time goes by, vulnerabilities, computational progress, and security best practices gradually introduce new requirements for a well-defined certificate. It happens in the form of checks that OSs, Browsers, and/or underlying libraries that PKI-related tools are using. If a check failed, the certificate is not accepted as valid.
Only some examples: SANs are mandatory; basicConstrains and keyUsage declarations as appropriate are required. Minimal strength ciphers and key lengths are cryptographic properties that need to be considered.
AHR-*-CTL 
