- By default, Tanzu Application Platform installs and uses a self-signed CA for issuing TLS certificates to components for the purpose of securing ingress communication.
 - The ingress issuer is a self-signed cert-manager.io/v1/ClusterIssuer and is provided by Tanzu Application Platform’s cert-manager package. Its default name is tap-ingress-selfsigned.
 - You will notice that the tap-ingress-selfsigned-root-ca certificate is being used when accessing the app URL.

 - This knowledge base article will guide you to retrieve the tap-ingress-selfsigned-root-ca certificate.

Product Version: 1.4

1. First is to confirm that the CA certificate is being stored in a secret named tap-ingress-selfsigned-root-ca.

$ kubectl get ClusterIssuer tap-ingress-selfsigned -o jsonpath='{.spec.ca}'
{"secretName":"tap-ingress-selfsigned-root-ca"}

2. Retrieve the ca.crt and save it to a .crt file by running:

$ kubectl -n cert-manager get secret tap-ingress-selfsigned-root-ca -o json | \
  jq -r '.data."ca.crt"' | base64 -d > tap-ingress-selfsigned-root-ca.crt

3. Confirm that the tap-ingress-selfsigned-root-ca.crt is well retrieved. And then it can be added to the system trust store to avoid any certificate error when accessing the apps.

$ head -2 tap-ingress-selfsigned-root-ca.crt
-----BEGIN CERTIFICATE-----
MIIDHzCCAgegAwIBAgIRAOSqJV97PuV/I3MV6r6AcewwDQYJKoZIhvcNAQELBQAw

$ cat tap-ingress-selfsigned-root-ca.crt| openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e4:aa:25:5f:7b:3e:e5:7f:23:73:15:ea:be:80:71:ec
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = tap-ingress-selfsigned-root-ca
        Validity
            Not Before: Mar 17 09:23:52 2023 GMT
            Not After : Jun 15 09:23:52 2023 GMT
        Subject: CN = tap-ingress-selfsigned-root-ca