The Default Wildcard Certificate

The OKD installer creates an internal certificate authority (CA) and uses this CA to sign additional certificates.

The certificate used by the ingress controller operator is a wildcard certificate for all routes in the .apps subdomain for your cluster, such as Routes for the web console, Grafana, Prometheus, and OAuth use this same wildcard certificate.

When using the wildcard certificate signed by the internal OKD CA, the web console prompts users with a warning indicating that the connection is not secure.

The View Certificate link provides details about the certificate.

If OKD certificates are not signed by a recognized certificate authority, then users attempting to access the cluster must add one or more exceptions to enable using the certificates.

Although using these exceptions might be acceptable for internal use, this solution is frequently insufficient for client-facing URLs.

Companies can use a certificate signed by a recognized certificate authority, such as Let’s Encrypt, or use a certificate signed by their own enterprise certificate authority