feat: root domain templating (defenseunicorns#1343)

chance-coleman · web-flow · commit f64974c4caf8 · 2025-03-11T15:59:21.000Z
## Description New feature to add root domain configuration to the istio package. This allows for applications to sit on the root domain and be configured with a virtual service to be accessed. Templating includes options for TLS mode, TLSversion, cert, key, and cacert. Also a credential override if not using the templated tls secret. ## Related Issue Fixes defenseunicorns#1301 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Steps to Validate This is a bit complicated to test but here are some steps: - Configure the values.yaml (certs for `uds.dev` and `uds.admin.dev`): ```yaml enableRootDomain: true rootDomainTLS: mode: SIMPLE # e.g., SIMPLE, MUTUAL, etc. default SIMPLE credentialName: "" # If set to a non-empty value, the chart will assume this secret already exists and will not auto-generate it using the provided cert data. supportTLSV1_2: true # Set to false to enforce TLSV1_3 only cert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5akNDQWQ2Z0F3SUJBZ0lVS2xZTlg5TG9CcSt4QytOWEF4eHg0R3VDZ0RZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0VqRVFNQTRHQTFVRUF3d0hkV1J6TG1SbGRqQWVGdzB5TlRBek1EWXhORFUwTlRsYUZ3MHlOakF6TURZeApORFUwTlRsYU1CSXhFREFPQmdOVkJBTU1CM1ZrY3k1a1pYWXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3hMTHJ2ZWFHNDQ0NDFsbk8xaEVTSXUvM2UvOTRFVkxMZE5NSnpTNHJxOHl1Qi8wZGUKeVdaRFpISUJpb0RnbGFhaENUUUtUNFlFWTlkenBmNVFiWW9PUkZON1BoWEJUSTBacjlNUjRBQk9SeEpLbUREawpxelBWOGZPZW41a0dKaEFtWmllS0NuWk44a0FUZ29zQVVNUlh0Mk9laXE3Rmh0VUFQU0JaaGRueXJSOWZobGtsCnl0dGRxYXAxcFJZNmtzbStuWjVsbTdxc2RqMXdoQnVvN1lZcmtoYWlqUEF6WWFISkJCZ0VjWnVyMVN0a05BcjEKU2FmM1V5SmwxSkVMTG1ta2hiV0FBSDI2eVZKcGsyZTRkUVRrM3U3eWw3c1A2ZkhPSUoyeTdDbWZTM2xzV3hWMApBK0VUVC9DUVpBVHVXMHVYenowWFVjaDduL3EybnlyVHArREpBZ01CQUFHalJEQkNNQ0VHQTFVZEVRUWFNQmlDCkIzVmtjeTVrWlhhQ0RXRmtiV2x1TG5Wa2N5NWtaWFl3SFFZRFZSME9CQllFRk03dGdpdlovNC9LNzlwTzBUcnYKd2hvZUJaUm5NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFYd1p5MkdTaksreVJ2SGpBd0J5UlRUUW9hZ1RKeQpIUG1zK2kxY0xRMEJJaWE1b2hsMmE2U1d2eHpVdzcxczNCK0kyaHo5aTQ3TFlaQ1hCYWpsUzZLeEZ6bXRneXNaCitBa0VWOWFNZk9kb1dLMVA3UHVEQWZtYXFSY21pQU1SYWd2NDZCRnYyL2ozNU9FUTZUQTNGZGNIYitrN0tQWjMKUmJwcFVTWk84RHJpN0dLMnJXeVZBMHBLK0FUdzBtYWJzS1FNYVVmNFZ1cEhxNWRON21VS2U1S2cxZmluS2ltZAppZEhBYWxuREw4c3c0UTYzbTBpWTd0T1h1eGIvRlFmM0c4Smx5RXF0SUZyTWFndkZ6UzhoVExxTlRpRVdSbTJpClkvYitZMGZyazRyQTR2RUowWGlMVEpnSzJlOTVCZU1IMWJlUWV1ZG9DY3JyRmNuYnpMTmJBalpSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ3hMTHJ2ZWFHNDQ0NDEKbG5PMWhFU0l1LzNlLzk0RVZMTGROTUp6UzRycTh5dUIvMGRleVdaRFpISUJpb0RnbGFhaENUUUtUNFlFWTlkegpwZjVRYllvT1JGTjdQaFhCVEkwWnI5TVI0QUJPUnhKS21ERGtxelBWOGZPZW41a0dKaEFtWmllS0NuWk44a0FUCmdvc0FVTVJYdDJPZWlxN0ZodFVBUFNCWmhkbnlyUjlmaGxrbHl0dGRxYXAxcFJZNmtzbStuWjVsbTdxc2RqMXcKaEJ1bzdZWXJraGFpalBBellhSEpCQmdFY1p1cjFTdGtOQXIxU2FmM1V5SmwxSkVMTG1ta2hiV0FBSDI2eVZKcAprMmU0ZFFUazN1N3lsN3NQNmZIT0lKMnk3Q21mUzNsc1d4VjBBK0VUVC9DUVpBVHVXMHVYenowWFVjaDduL3EyCm55clRwK0RKQWdNQkFBRUNnZ0VBTlk5MEk1ajlqc3NiM285UkEzcXN6VGtua2haL280ZUhXdC9zT0xhSmxHVlcKcmNIaWJZRXM3UXFjZkdMR2V4NUNkVVEyK3piM0tMU1dHVndBK1lkanlOUlcrRmJZZE1zVGpNUmVablQxSXJUUgpqc05iWklWczhpeG1uWGxaNVVYMGMrZEY1TEVzK250VmE1QjNQTzB0cmVhK3N0cng0cnpULzNKN0tSVVJ3ZzZhCnM5c1R2T3dNU2RGUkxvWHU5bUE1RXlrWndTcjFuaVNkblp4OUlvNlJ1OFdRNEY5eXBuVVplQUd3VDBlWWd5QjcKcnczNmlzR3kzZC92SlJuNnZIcklDMk5rc2dqQURJYkpLUzdNNG5yc0s0WkRqYm5SZHlOVnBYYkc2UFdyMTJsTQp0bC9ZNndKeXhmaG5kSURYWERlYkVJL3Nxa2hjTTlqYitoaXV3aDd6MFFLQmdRRHBWbzMxZThRTDhvbGNBZ1loCnUvV0xDWlh3cjVFc2xXWkduWXhlSllYQjMwNE82T0M0SnlPTXd3dHJDOUlhMk9kK1IrMTc2VC8xb3Z4RFoxNHAKaWZNdFJnWEpQNTlQQXhVMGNpQUhoQUsrbWNUUXk1Q0JETXNUbmlXdUZIUDBab3g1WHpYRXN3U0JUck9DWExyTQpPSGVzZ25DVElCWlpYUFJ3WGlWWlozdE5id0tCZ1FEQ1ljdVZPeHlONkl3SVhpR0x4bXFabEM1dVhkc2ZoUkthCmJzWDdwdXJXbmJ0UUQzZVFUWGtvOWJPRUV6NFQvWFA0cmw2NkpMMllGQnY4MnVOY05KMEV4MkNtM3VHbGh1QWgKc0Rwa0t3ckQ2UGlJclZlT2p0RXNpR2pEZTVMNGgwczQ2UFZjTVBVUXlXQjAyNGhuSEZnRytFaWhRUWE3N0J1TAp3UzdQazh1SlJ3S0JnRFp2VzlUT0Y5RlZ0cGZCWFI3WGs1UHBHNUszMHAxZENTd21LdzMzb1BtMmw2WkF5OVFLClJXL2NQTGl2WEVlcEhIQklaVzNIMzRUMWpmWkhraDhNc0s5NkszVmtvMHl5Z21ybXlQUVg1dkFDUFhrY1ZFelcKNkRWZWFwbnU2WkkxcmtYT1lXUFBBNWtLL0RQSVlFZXVVTFR0QlVnOWJ4bFA1ektqdEFEa2RFNS9Bb0dBZktTSgpEdUFncHo1K3pMN1BjL2wvVVl1Yldsb0VzR2w4VEZyTHlWcDNLN2RvN1NWOTNhSlFGdHUyaVBKdDFCT3AwY1MrCktVNTE1SmJBZTV0QVAxZmRkN3NCVnYrRVljZmk0TGRJT2dML25EQS9iaVQ1Q0FpOFNIb1A4NG5CN0d1VTZLRTQKOUN6UWVEc3BCc1hlNlg5YlV0elNkZFJrcFF2NWZkd2FVREROU3ZFQ2dZRUEzT0hhV2k3eDF0c1ZLSWpjMEtGZwpxbmtjOTZBQlQ5dTR3V0t0bG9ZNXZFNDNWN2M1ZGM4QnZ0UGp1QUNucjZ2Q253YzZ3MjlhT3RzVUJPdVJNZ2QrCmlFRlpGcTN4bjVGK2I5MURLUzZDN2FLTjcvRzY3OUl6OFpZaGdVZGhuL1I4SjRPNkdXbGJEL2gvQThGQUJDOHIKZzlMTW9KUUxlc1VNQXVma1I5V25udGc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K" cacert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5akNDQWQ2Z0F3SUJBZ0lVS2xZTlg5TG9CcSt4QytOWEF4eHg0R3VDZ0RZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0VqRVFNQTRHQTFVRUF3d0hkV1J6TG1SbGRqQWVGdzB5TlRBek1EWXhORFUwTlRsYUZ3MHlOakF6TURZeApORFUwTlRsYU1CSXhFREFPQmdOVkJBTU1CM1ZrY3k1a1pYWXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3hMTHJ2ZWFHNDQ0NDFsbk8xaEVTSXUvM2UvOTRFVkxMZE5NSnpTNHJxOHl1Qi8wZGUKeVdaRFpISUJpb0RnbGFhaENUUUtUNFlFWTlkenBmNVFiWW9PUkZON1BoWEJUSTBacjlNUjRBQk9SeEpLbUREawpxelBWOGZPZW41a0dKaEFtWmllS0NuWk44a0FUZ29zQVVNUlh0Mk9laXE3Rmh0VUFQU0JaaGRueXJSOWZobGtsCnl0dGRxYXAxcFJZNmtzbStuWjVsbTdxc2RqMXdoQnVvN1lZcmtoYWlqUEF6WWFISkJCZ0VjWnVyMVN0a05BcjEKU2FmM1V5SmwxSkVMTG1ta2hiV0FBSDI2eVZKcGsyZTRkUVRrM3U3eWw3c1A2ZkhPSUoyeTdDbWZTM2xzV3hWMApBK0VUVC9DUVpBVHVXMHVYenowWFVjaDduL3EybnlyVHArREpBZ01CQUFHalJEQkNNQ0VHQTFVZEVRUWFNQmlDCkIzVmtjeTVrWlhhQ0RXRmtiV2x1TG5Wa2N5NWtaWFl3SFFZRFZSME9CQllFRk03dGdpdlovNC9LNzlwTzBUcnYKd2hvZUJaUm5NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFYd1p5MkdTaksreVJ2SGpBd0J5UlRUUW9hZ1RKeQpIUG1zK2kxY0xRMEJJaWE1b2hsMmE2U1d2eHpVdzcxczNCK0kyaHo5aTQ3TFlaQ1hCYWpsUzZLeEZ6bXRneXNaCitBa0VWOWFNZk9kb1dLMVA3UHVEQWZtYXFSY21pQU1SYWd2NDZCRnYyL2ozNU9FUTZUQTNGZGNIYitrN0tQWjMKUmJwcFVTWk84RHJpN0dLMnJXeVZBMHBLK0FUdzBtYWJzS1FNYVVmNFZ1cEhxNWRON21VS2U1S2cxZmluS2ltZAppZEhBYWxuREw4c3c0UTYzbTBpWTd0T1h1eGIvRlFmM0c4Smx5RXF0SUZyTWFndkZ6UzhoVExxTlRpRVdSbTJpClkvYitZMGZyazRyQTR2RUowWGlMVEpnSzJlOTVCZU1IMWJlUWV1ZG9DY3JyRmNuYnpMTmJBalpSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" ``` - modify /etc/hosts file to include the ingress-gateway external ip `<external-ip> uds.dev` - deploy slim-dev `uds run slim-dev` - add virtual service to app-tenant manifest ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: test-tenant-app namespace: test-tenant-app spec: hosts: - uds.dev gateways: - istio-tenant-gateway/tenant-gateway http: - match: - uri: prefix: /port8080 name: route-8080 rewrite: uri: / route: - destination: host: test-tenant-app port: number: 8080 - match: - uri: prefix: /port8081 name: route-8081 rewrite: uri: / route: - destination: host: test-tenant-app port: number: 8081 ``` - build and deploy test apps `uds zarf package create src/test --confirm --no-progress --skip-sbom && uds zarf package deploy build/zarf-package-uds-core-test-apps-*.zst --confirm --no-progress` - curl the uds.dev url: `curl -vk https://uds.dev/port8080` and should receive a `Hello from port 8080` ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
diff --git a/docs/reference/UDS Core/dns.md b/docs/reference/UDS Core/dns.md
@@ -12,7 +12,11 @@ Each Gateway requires a wildcard DNS entry corresponding with the chosen `DOMAIN
 - `*.admin.<DOMAIN>` / Admin Gateway if NOT setting `ADMIN_DOMAIN`
 
 :::note
-The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways). 
+Wildcard records do not cover the root (apex) domain itself. If you need to serve applications directly on the root (for example, `uds.dev`), see [Istio Ingress docs](https://uds.defenseunicorns.com/reference/configuration/ingress/).
+:::
+
+:::note
+The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways).
 :::
 
 ### Bundle Configuration
@@ -28,7 +32,7 @@ metadata:
   name: core-with-lb-config
   description: A UDS example bundle for deploying UDS Core with external Load Balancer configuration
   version: "0.0.1"
-  
+
 packages:
   - name: core
     repository: oci://ghcr.io/defenseunicorns/packages/uds/core
@@ -52,7 +56,7 @@ overrides:
       - path: service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-scheme
         value: "internet-facing"
       - path: service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-attributes
-        value: "load_balancing.cross_zone.enabled=true"        
+        value: "load_balancing.cross_zone.enabled=true"
 ```
 
 ### Istio Gateways
@@ -72,4 +76,4 @@ istio-admin-gateway         admin-ingressgateway                             Loa
 istio-tenant-gateway        tenant-ingressgateway                            LoadBalancer   10.43.47.182    k8s-istioten-tenant...elb.us-east-1.amazonaws.com  15021:31222/TCP,80:30456/TCP,443:32508/TCP  1h
 ```
 
-From here, you can register your domain and/or create DNS records for your environment that point to the appropriate Gateways/Load Balancers. Refer to your DNS provider's documentation. 
+From here, you can register your domain and/or create DNS records for your environment that point to the appropriate Gateways/Load Balancers. Refer to your DNS provider's documentation.
diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md
@@ -132,3 +132,69 @@ packages:
             - path: tls.credentialName
               value: tenant-gateway-tls-secret # Reference to the Kubernetes secret for the tenant gateway's TLS certificate
 ```
+
+### Root (Apex) Domain Configuration
+By default, the UDS Core Gateways are configured with wildcard hosts (for example, `*.uds.dev`), which match only subdomains (such as `demo.uds.dev` or `keycloak.admin.uds.dev`). The root domain (i.e. `uds.dev`) is not covered by a wildcard. This is important if you need an application to be accessible at the root of your domain.
+
+To support this use case, UDS Core provides an optional configuration to enable a dedicated server block for the root domain. When enabled, two additional server blocks are added to your Istio Gateway:
+- **HTTP on port 80**: Redirects traffic to HTTPS.
+- **HTTPS on port 443**: Terminates TLS using settings from the rootDomain.tls section.
+
+If you want your application to be reachable at `https://uds.dev`, enable root (apex) domain configuration via a bundle override in your UDS Bundle. For example:
+```yaml
+  - name: core
+    repository: oci://ghcr.io/defenseunicorns/packages/uds/core
+    ref: 0.23.0-upstream
+    overrides:
+      istio-tenant-gateway:
+        uds-istio-config:
+          values:
+            - path: rootDomain.enabled
+              value: true
+            - path: rootDomain.tls.mode
+              value: SIMPLE
+            - path: rootDomain.tls.credentialName
+              value: ""  # Leave blank to auto-create the secret using the provided cert data.
+            - path: rootDomain.tls.supportTLSV1_2
+              value: true
+          variables:
+            - path: rootDomain.tls.cert
+              name: "ROOT_TLS_CERT"
+            - path: rootDomain.tls.key
+              name: "ROOT_TLS_KEY"
+            - path: rootDomain.tls.cacert
+              name: "ROOT_TLS_CACERT"
+```
+:::note
+- If you provide a non-empty value for credentialName, UDS Core assumes that you have pre-created the Kubernetes secret and will not auto-generate it using the certificate data.
+
+- If you prefer to use an existing secret (such as when using a SAN certificate that covers both subdomains and the root) you may set the `rootDomain.tls.credentialName` field to the name of that secret (for example, `gateway-tls`). In that case, UDS Core assumes the secret exists and will not auto-create one using the certificate data.
+:::
+
+#### Exposing a Service on the Root Domain with a VirtualService
+Once your root domain configuration is enabled and DNS is correctly set up (i.e. an A record for `uds.dev` points to your ingress gateway), you can expose services directly on the root domain. For example, to route traffic from `https://uds.dev/my-app` to a service in your cluster, create a VirtualService similar to the following:
+```yaml
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: my-app
+  namespace: my-namespace
+spec:
+  hosts:
+    - uds.dev
+  # If your gateway is deployed in a different namespace, fully qualify it:
+  gateways:
+    - istio-tenant-gateway/tenant-gateway
+  http:
+    - match:
+        - uri:
+            prefix: /my-app
+      rewrite:
+        uri: "/"  # Optionally strip the /my-app prefix before forwarding
+      route:
+        - destination:
+            host: my-app-service
+            port:
+              number: 80
+```
+This VirtualService matches requests to the root domain (`uds.dev`) with the path prefix `/my-app` and routes them to your service (`my-app-service` on port 80).
diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml
@@ -2,6 +2,9 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 {{- $domain := tpl .Values.domain . }}
+{{- $rootTLS := .Values.rootDomain.tls | default dict -}}
+{{- $rootMode := $rootTLS.mode | default ($.Values.tls.mode | default "SIMPLE") -}}
+{{- $rootSupportTLS := $rootTLS.supportTLSV1_2 | default ($.Values.tls.supportTLSV1_2 | default false) -}}
 {{- if .Values.tls }}
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
@@ -35,8 +38,29 @@ spec:
         mode: {{ $server.mode }}
         {{- if ne $server.mode "PASSTHROUGH" }}
         credentialName: {{ $.Values.tls.credentialName | default "gateway-tls" | quote }}
-        # if supportTLSV1_2 is both defined and true, use TLSV1_2, otherwise use TLSV1_3
         minProtocolVersion: {{ if $.Values.tls.supportTLSV1_2 }}TLSV1_2{{ else }}TLSV1_3{{ end }}
         {{- end }}
     {{ end }}
+    {{- if .Values.rootDomain.enabled }}
+    - hosts:
+        - "{{ $domain }}"
+      port:
+        name: "http-root-domain"
+        number: 80
+        protocol: HTTP
+      tls:
+        httpsRedirect: true
+    - hosts:
+        - "{{ $domain }}"
+      port:
+        name: "https-root-domain"
+        number: 443
+        protocol: HTTPS
+      tls:
+        mode: {{ $rootMode | quote }}
+        {{- if ne $rootMode "PASSTHROUGH" }}
+        credentialName: {{ $rootTLS.credentialName | default "root-domain-tls" | quote }}
+        minProtocolVersion: {{ if $rootSupportTLS }}TLSV1_2{{ else }}TLSV1_3{{ end }}
+        {{- end }}
+    {{- end }}
 {{ end }}
diff --git a/src/istio/chart/templates/root-tls-cert.yaml b/src/istio/chart/templates/root-tls-cert.yaml
@@ -0,0 +1,17 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+{{- $rootTls := .Values.rootDomain.tls }}
+{{ if and $rootTls.cert (not $rootTls.credentialName) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: root-domain-tls
+  namespace: {{ .Release.Namespace }}
+data:
+  tls.crt: {{ $rootTls.cert }}
+  tls.key: {{ $rootTls.key }}
+  cacert: {{ $rootTls.cacert }}
+type: kubernetes.io/tls
+---
+{{ end }}
diff --git a/src/istio/chart/values.yaml b/src/istio/chart/values.yaml
@@ -32,3 +32,15 @@ domain: "###ZARF_VAR_DOMAIN###"
 #         - "*"
 #   # Whether to support TLS 1.2 (if false, only TLS 1.3 will be supported)
 #   supportTLSV1_2: true
+
+# Enable root (apex) domain configuration. When true, the Gateway creates dedicated server blocks
+# for the root domain (e.g. uds.dev). This is required because wildcard hosts (e.g. *.uds.dev) do not match the root.
+rootDomain:
+  enabled: false
+  tls: {}
+  #   mode: SIMPLE                          # TLS mode (e.g., SIMPLE, MUTUAL). Default is SIMPLE.
+  #   credentialName: ""                    # Specify a TLS secret name if pre-created. Set to "" to auto-create using the cert data.
+  #   supportTLSV1_2: true                  # Set to true to support TLS 1.2, or false to enforce TLS 1.3 only.
+  #   cert: "BASE64_ENCODED_CERTIFICATE"    # Base64-encoded certificate data. For self-signed certs, cert and cacert are typically the same.
+  #   key: "BASE64_ENCODED_PRIVATE_KEY"     # Base64-encoded private key.
+  #   cacert: "BASE64_ENCODED_CERTIFICATE"  # Base64-encoded CA certificate (use the same as cert for self-signed).
