Hybrid Ingress Self signed Cert Walkthrough
We are going to visit all stops on creating and configuring self-signed certificates for Istio Ingress configuration.
As usual, we also will refresh and collect here useful troubleshooting commands.
In a generic case, there is a CA root key that is used generate a ca authority certificate. The ca key is used to sign an intermediate certificate request to produce an intermediate certificate and there is an intermediate key that was used to generate an intermediate certificate authority request, that is used to sign a leaf certificate request that was signed by a leaf key, that is used to sign a certificate request to generate a leaf certificate. The ca, intermediate, and leaf certificates comprise a trust chain that is used to validate the certificate. Self-signed certificates do not change the mechanics of PKI framework. They merely make CA root certificate configuration step explicit.
If the sentence above sounds like a mouthful and feels complex, that because, without some investment and practice, it is. Keep reading on PKI until you can easily explain it to a colleague during an office party.
In practice, in many cases it makes sense to cut some corners and generate a single self-signed certificate that would be used as both, ca root certificate, and the trust chain.
If not configured correctly, your certificate will be rejected. Stackoverflow is full of [advice to use -k](https://serverfault.com/questions/121768/curl-or-ssl-problems-how-to-solve to 'solve' this problem. Don't! The ignorance is never a good solution, especially in matters of security.
The problem is that nowadays there are some security-related predicates and conditions that need to be satisfied before you can add --cafile option and drop -k option.
AHR-*-CTL 
