Some organizations use an intermediate certificate for signing server and client certs, where this intermediate certificate is signed by the root CA. In this case, the intermediate cert should be included in the node.crt, client.node.crt, and/or ui.crt. The root CA cert should be still contained in the ca.crt file.
Example:
ca.crt: contains the root CA certificate
node.crt: contains the server's "node" cert, and the intermediate signing certificate
client.node.crt: contains the server's "client" cert, and the intermediate signing certificate
ui.crt: contains the server's "ui" cert, and the intermediate signing certificate
John Sheaffer (sheaffej) commented:
Some organizations use an intermediate certificate for signing server and client certs, where this intermediate certificate is signed by the root CA. In this case, the intermediate cert should be included in the node.crt, client.node.crt, and/or ui.crt. The root CA cert should be still contained in the ca.crt file.
Example: ca.crt: contains the root CA certificate node.crt: contains the server's "node" cert, and the intermediate signing certificate client.node.crt: contains the server's "client" cert, and the intermediate signing certificate ui.crt: contains the server's "ui" cert, and the intermediate signing certificate
Potential spot in the documentation to add this clarification is: https://www.cockroachlabs.com/docs/v20.1/create-security-certificates-custom-ca.html
Jira Issue: DOC-575