About Trust anchor certificate and Issuer certificate key

[eddielishan]

Excuse me, Can I set and install the Trust anchor certificate and Issuer certificate key for both over 10 years without Rotating TLS Credentials？

[mateiidavid]

Hey @eddielishan, regardless of how you install linkerd (helm or cli), you can provide your own TLS certificates for the control plane. Certificates have to be rotated once expired, indeed you can generate your own root CA (trust anchor) and issuer with an expiry date set 10 years from now and you will not have to rotate until they expire. You can still rotate the certificate if you want, for whatever reason, before the expiry date is up.

Just so you're aware, there are two different types of trust anchors we use for linkerd: one for the control plane and data plane, and one for webhooks. It's good to know in case you'll bootstrap certificates with long expiry dates.

TL;DR: yes, you can provide your own long-lived certs and not have to rotate them until they expire.