Feature

The requirement to integrate with external enterprise Certificate Authority (CA) systems is driven by security and compliance demands from customers, including those in the Government and Telco sectors.

The focus is on implementing an Intermediate Signing CA Strategy to satisfy compliance needs while maintaining OpenShift's operational integrity.

Mechanism

OpenShift will be configured to accept an intermediate signing certificate (Intermediate CA) provided by the external authority as an input (e.g. during installation).

Result 

This allows OpenShift to use its existing internal, automated PKI mechanisms for tasks like bootstrapping, rotation, and self-healing, while all platform certificates are ultimately chained to the customer's trusted enterprise root CA.

Scope Rationale

After extensive review, the project scope has undergone a strategic shift based on the consensus that a full external CA integration for internal platform certificates would be overly complex, introduce new points of failure, compromise OpenShift's automated life cycle management, and conflict with core reliability design principles.