https://communities.sas.com/t5/Administration-and-Deployment/Understanding-the-difference-between-TLS-certificates-in-Viya/m-p/986135#M30773 <DIV> <H3>1. <span class="lia-unicode-emoji" title=":old_key:">🗝</span>️ <CODE>sas-ingress.key</CODE> — The Private Key</H3> <P>This is the <STRONG>private key</STRONG> for the Ingress Controller (typically NGINX). It is the secret half of the public/private key pair used in TLS handshakes.</P> <UL> <LI><STRONG>What it does</STRONG>: Used by the Ingress Controller to decrypt incoming HTTPS traffic from browsers/clients.</LI> <LI><STRONG>Where it lives</STRONG>: Stored inside a Kubernetes secret called <CODE>sas-ingress-certificate</CODE> (alongside the signed certificate).</LI> <LI><STRONG>How it's specified</STRONG>: In <CODE>customer-provided-ingress-certificate.yaml</CODE> as <CODE>tls.key</CODE>.</LI> <LI><STRONG>Important</STRONG>: Never expose this file. It must match the public certificate (<CODE>sas-ingress-certificate.pem</CODE>).</LI> </UL> <DIV> <H3>2. <span class="lia-unicode-emoji" title=":page_facing_up:">📄</span> <CODE>sas-ingress-certificate.pem</CODE> — The Signed Server Identity Certificate</H3> <P>This is the <STRONG>public TLS certificate</STRONG> for the Ingress Controller — the certificate presented to browsers and clients when they connect to SAS Viya over HTTPS.</P> <UL> <LI><STRONG>What it does</STRONG>: Proves the identity of your SAS Viya server to external clients (browsers, APIs, etc.).</LI> <LI><STRONG>Signed by</STRONG>: Your organization's CA (the one referenced in <CODE>sas-ingress-CA-certificate.pem</CODE>).</LI> <LI><STRONG>Where it lives</STRONG>: Also stored in the Kubernetes secret <CODE>sas-ingress-certificate</CODE>, specified as <CODE>tls.crt</CODE> in <CODE>customer-provided-ingress-certificate.yaml</CODE>.</LI> <LI><STRONG>Requirement</STRONG>: Must be a wildcard or contain a SAN matching your Ingress FQDN.</LI> </UL> <DIV> <H3>3. <span class="lia-unicode-emoji" title=":classical_building:">🏛</span>️ <CODE>sas-ingress-CA-certificate.pem</CODE> — The CA Certificate (Trust Anchor)</H3> <P>This is the <STRONG>Certificate Authority (CA) certificate</STRONG> that <STRONG>signed</STRONG> <CODE>sas-ingress-certificate.pem</CODE>. It represents the root (or intermediate) of your PKI trust chain.</P> <UL> <LI><STRONG>What it does</STRONG>: Allows SAS Viya's internal services (pods) to <STRONG>trust</STRONG> the Ingress certificate. Without this, internal pod-to-pod or pod-to-ingress communication will fail with <CODE>x509: certificate signed by unknown authority</CODE> errors.</LI> <LI><STRONG>When required</STRONG>: Needed when the CA that signed the Ingress certificate is <STRONG>not</STRONG> in the Mozilla trusted CA bundle (i.e., it's a private/corporate CA, not a public one like DigiCert or Let's Encrypt).</LI> <LI><STRONG>How it's provided</STRONG>: Via <CODE>customer-provided-ca-certificates.yaml</CODE> — you place PEM-encoded CA cert files under <CODE>site-config/security/cacerts/</CODE> and reference them in that YAML.</LI> <LI><STRONG>What it updates</STRONG>: SAS Viya's internal <STRONG>trust stores</STRONG> across all pods (managed by the <CODE>sas-certframe</CODE> init container).</LI> </UL> <DIV><span class="lia-unicode-emoji" title=":pushpin:">📌</span> If your Ingress cert is signed by a <STRONG>well-known public CA</STRONG> (e.g., Let's Encrypt, DigiCert), you may not need this file since those CAs are already in the Mozilla bundle included in SAS Viya's default trust store.</DIV> <DIV> <DIV> <H3>4. <span class="lia-unicode-emoji" title=":card_file_box:">🗃</span>️ <CODE>trustedcerts.pem</CODE> — The Aggregated Trust Store</H3> <P>This is SAS Viya's <STRONG>compiled/aggregated trust store file</STRONG> — a single PEM file that concatenates <STRONG>all trusted CA certificates</STRONG> that SAS services use to verify TLS connections.</P> <UL> <LI><STRONG>What it does</STRONG>: Acts as the unified CA bundle for all SAS Viya internal services. When a SAS service (e.g., CAS, SAS Logon) makes an outbound TLS connection, it validates the peer's certificate against this file.</LI> <LI><STRONG>Where it lives</STRONG>: Inside running containers at: <PRE><CODE>/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem </CODE></PRE> </LI> <LI><STRONG>What it contains</STRONG>: Mozilla public CA certs + the Ingress CA chain + the SAS internal CA + any additional customer-provided CA certs.</LI> <LI><STRONG>Managed by</STRONG>: The <CODE>sas-certframe</CODE> init container, which builds this file automatically at pod startup by merging all the CA sources.</LI> </UL> <DIV>For the official SAS documentation on this, the SAS Help Center has a comprehensive guide: <A class="fui-Link ___w5et180 f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv f1mo0ibp fjoy568 ff5ikls f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a" tabindex="0" href="https://go.documentation.sas.com/doc/en/sasadmincdc/v_056/calencryptmotion/n1xdqv1sezyrahn17erzcunxwix9.htm" rel="noopener noreferrer" data-tabster="{&quot;restorer&quot;:{&quot;type&quot;:1}}" target="_blank">Configure Network Security and Encryption</A>.</DIV> </DIV> </DIV> <DIV>&nbsp;</DIV> </DIV> </DIV> </DIV> Wed, 08 Apr 2026 21:49:23 GMT angian 2026-04-08T21:49:23Z https://communities.sas.com/t5/Administration-and-Deployment/Understanding-the-difference-between-TLS-certificates-in-Viya/m-p/983630#M30687 <P>Hello<BR />While working on configuration of SAS Viya4 for using customer provided ca certificates, I came across these terms.<BR />trustedcerts.pem, sas-ingress-certificate.pem, sas-ingress.key and sas-ingress-CA-certificate.pem.<BR />Wondering if some one can help me understand these terms?<BR /><BR /></P> Tue, 17 Feb 2026 17:35:31 GMT https://communities.sas.com/t5/Administration-and-Deployment/Understanding-the-difference-between-TLS-certificates-in-Viya/m-p/983630#M30687 thesasuser 2026-02-17T17:35:31Z https://communities.sas.com/t5/Administration-and-Deployment/Understanding-the-difference-between-TLS-certificates-in-Viya/m-p/986135#M30773 <DIV> <H3>1. <span class="lia-unicode-emoji" title=":old_key:">🗝</span>️ <CODE>sas-ingress.key</CODE> — The Private Key</H3> <P>This is the <STRONG>private key</STRONG> for the Ingress Controller (typically NGINX). It is the secret half of the public/private key pair used in TLS handshakes.</P> <UL> <LI><STRONG>What it does</STRONG>: Used by the Ingress Controller to decrypt incoming HTTPS traffic from browsers/clients.</LI> <LI><STRONG>Where it lives</STRONG>: Stored inside a Kubernetes secret called <CODE>sas-ingress-certificate</CODE> (alongside the signed certificate).</LI> <LI><STRONG>How it's specified</STRONG>: In <CODE>customer-provided-ingress-certificate.yaml</CODE> as <CODE>tls.key</CODE>.</LI> <LI><STRONG>Important</STRONG>: Never expose this file. It must match the public certificate (<CODE>sas-ingress-certificate.pem</CODE>).</LI> </UL> <DIV> <H3>2. <span class="lia-unicode-emoji" title=":page_facing_up:">📄</span> <CODE>sas-ingress-certificate.pem</CODE> — The Signed Server Identity Certificate</H3> <P>This is the <STRONG>public TLS certificate</STRONG> for the Ingress Controller — the certificate presented to browsers and clients when they connect to SAS Viya over HTTPS.</P> <UL> <LI><STRONG>What it does</STRONG>: Proves the identity of your SAS Viya server to external clients (browsers, APIs, etc.).</LI> <LI><STRONG>Signed by</STRONG>: Your organization's CA (the one referenced in <CODE>sas-ingress-CA-certificate.pem</CODE>).</LI> <LI><STRONG>Where it lives</STRONG>: Also stored in the Kubernetes secret <CODE>sas-ingress-certificate</CODE>, specified as <CODE>tls.crt</CODE> in <CODE>customer-provided-ingress-certificate.yaml</CODE>.</LI> <LI><STRONG>Requirement</STRONG>: Must be a wildcard or contain a SAN matching your Ingress FQDN.</LI> </UL> <DIV> <H3>3. <span class="lia-unicode-emoji" title=":classical_building:">🏛</span>️ <CODE>sas-ingress-CA-certificate.pem</CODE> — The CA Certificate (Trust Anchor)</H3> <P>This is the <STRONG>Certificate Authority (CA) certificate</STRONG> that <STRONG>signed</STRONG> <CODE>sas-ingress-certificate.pem</CODE>. It represents the root (or intermediate) of your PKI trust chain.</P> <UL> <LI><STRONG>What it does</STRONG>: Allows SAS Viya's internal services (pods) to <STRONG>trust</STRONG> the Ingress certificate. Without this, internal pod-to-pod or pod-to-ingress communication will fail with <CODE>x509: certificate signed by unknown authority</CODE> errors.</LI> <LI><STRONG>When required</STRONG>: Needed when the CA that signed the Ingress certificate is <STRONG>not</STRONG> in the Mozilla trusted CA bundle (i.e., it's a private/corporate CA, not a public one like DigiCert or Let's Encrypt).</LI> <LI><STRONG>How it's provided</STRONG>: Via <CODE>customer-provided-ca-certificates.yaml</CODE> — you place PEM-encoded CA cert files under <CODE>site-config/security/cacerts/</CODE> and reference them in that YAML.</LI> <LI><STRONG>What it updates</STRONG>: SAS Viya's internal <STRONG>trust stores</STRONG> across all pods (managed by the <CODE>sas-certframe</CODE> init container).</LI> </UL> <DIV><span class="lia-unicode-emoji" title=":pushpin:">📌</span> If your Ingress cert is signed by a <STRONG>well-known public CA</STRONG> (e.g., Let's Encrypt, DigiCert), you may not need this file since those CAs are already in the Mozilla bundle included in SAS Viya's default trust store.</DIV> <DIV> <DIV> <H3>4. <span class="lia-unicode-emoji" title=":card_file_box:">🗃</span>️ <CODE>trustedcerts.pem</CODE> — The Aggregated Trust Store</H3> <P>This is SAS Viya's <STRONG>compiled/aggregated trust store file</STRONG> — a single PEM file that concatenates <STRONG>all trusted CA certificates</STRONG> that SAS services use to verify TLS connections.</P> <UL> <LI><STRONG>What it does</STRONG>: Acts as the unified CA bundle for all SAS Viya internal services. When a SAS service (e.g., CAS, SAS Logon) makes an outbound TLS connection, it validates the peer's certificate against this file.</LI> <LI><STRONG>Where it lives</STRONG>: Inside running containers at: <PRE><CODE>/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem </CODE></PRE> </LI> <LI><STRONG>What it contains</STRONG>: Mozilla public CA certs + the Ingress CA chain + the SAS internal CA + any additional customer-provided CA certs.</LI> <LI><STRONG>Managed by</STRONG>: The <CODE>sas-certframe</CODE> init container, which builds this file automatically at pod startup by merging all the CA sources.</LI> </UL> <DIV>For the official SAS documentation on this, the SAS Help Center has a comprehensive guide: <A class="fui-Link ___w5et180 f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv f1mo0ibp fjoy568 ff5ikls f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a" tabindex="0" href="https://go.documentation.sas.com/doc/en/sasadmincdc/v_056/calencryptmotion/n1xdqv1sezyrahn17erzcunxwix9.htm" rel="noopener noreferrer" data-tabster="{&quot;restorer&quot;:{&quot;type&quot;:1}}" target="_blank">Configure Network Security and Encryption</A>.</DIV> </DIV> </DIV> <DIV>&nbsp;</DIV> </DIV> </DIV> </DIV> Wed, 08 Apr 2026 21:49:23 GMT https://communities.sas.com/t5/Administration-and-Deployment/Understanding-the-difference-between-TLS-certificates-in-Viya/m-p/986135#M30773 angian 2026-04-08T21:49:23Z