Linkerd comes with its own CA, and it generates its own self-signed root certificate for its control plane identity pod. The identity pod then uses this certificate to issue short (24 hours) certificates to the services that are running Linkerd proxy.

You can use a trusted certificate signed by a CA provider before installing the Linkerd control plane.

We will create our root and intermediate certificate and supply them to Linkerd install, assuming that they are from a trusted source. For this purpose, we will use an open source project, smallstep (https://github.com/smallstep). It is simple to use as it takes the complexity out of the certificate creation process. Let's understand this through an example.