This card is a continuation of CMP-942, covering external certificates. Please see CMP-942 for the full discussion. SC-12 as a whole is an organizational control (see e.g. this issue. However, we should still provide some guidance.

For external certs, we should collect documentation on which certs can be manged by an external CA. A quick docs search shows that it's possible to set external certs for the api server or ingress operator.

Then, Michael Epley suggested the following about external certs:

We generally get systems accredited using internally self signed certs. It varies somewhat by customer, and the ability to use external certs is preferred. Note the requirement is " only approved trust anchors" (emphasis mine) – and the AO can approve self signed CAs for this purpose. Sefl-signed and self-managed PKI usually requires justification whereas pre-approved enterprise CAs and PKI do not and also don't have the burden of building your own PKI management and governance (though this can be susceptible to automation for OCP). Running your self managed PKI for internal certs may trigger more scrutiny and use of HSMs (I can cite specific examples of this being the case for certain customers).

So knowing which certs can be issued by an external CA and which can't would be helpful in making sure the number of self-signed CAs is kept to a minimum.