can etcd trust two certificate authorities

[ssengar]

What would you like to be added?

multiple CA's should be trusted by etcd.

Why is this needed?

as part of our setup we might need etcd clients to connect to etcd via certificates issued by thier own CA.

[jmhbnz]

Hey @ssengar - Thanks for raising this question. The normal way I would think about tackling this would be to provide a certificate bundle that includes the root certificates of all the required trusted CAs.

The general steps to do that would be something like:

1. Obtain the root certificate files for all the CAs you want to trust.
2. Concatenate all the root certificate files into a single bundle file.
3. Configure etcd to use the certificate bundle file. This involves specifying the file path in the etcd configuration file or providing it as a command-line argument when starting etcd.

Have you tried an approach like this?

Note: There is an active issue around the refreshing of ca bundles for new connections, i.e. zero downtime updates. Refer: #11555. Just something to be aware of.

[jmhbnz]

Hey @ssengar - This support issue will be moved to our Discussion Forums.

We are trying to consolidate the channels to which questions for help/support are posted so that we can improve our efficiency in responding to your requests, and to make it easier for you to find answers to frequently asked questions and how to address common use cases.

We regularly see messages posted in multiple forums, with the full response thread only in one place or, worse, spread across multiple forums. Also, the large volume of support issues on GitHub is making it difficult for us to use issues to identify real bugs.

Members of the etcd community use Discussion Forums to field support requests. Before posting a new question, please search these for answers to similar questions, and also familiarize yourself with:

1. user documentation
2. frequently asked questions

Again, thanks for using etcd and raising this question.

The etcd team