cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
thesasuser
Lapis Lazuli | Level 10 thesasuser
Lapis Lazuli | Level 10
Go to Solution

Understanding the difference between TLS certificates in Viya

Posted 02-17-2026 12:35 PM (432 views)

Hello
While working on configuration of SAS Viya4 for using customer provided ca certificates, I came across these terms.
trustedcerts.pem, sas-ingress-certificate.pem, sas-ingress.key and sas-ingress-CA-certificate.pem.
Wondering if some one can help me understand these terms?

0 Likes
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
angian
SAS Employee angian
SAS Employee

Re: Understanding the difference between TLS certificates in Viya

Posted 04-08-2026 05:49 PM (219 views)  |   In reply to thesasuser

1. 🗝sas-ingress.key — The Private Key

This is the private key for the Ingress Controller (typically NGINX). It is the secret half of the public/private key pair used in TLS handshakes.

  • What it does: Used by the Ingress Controller to decrypt incoming HTTPS traffic from browsers/clients.
  • Where it lives: Stored inside a Kubernetes secret called sas-ingress-certificate (alongside the signed certificate).
  • How it's specified: In customer-provided-ingress-certificate.yaml as tls.key.
  • Important: Never expose this file. It must match the public certificate (sas-ingress-certificate.pem).

2. 📄 sas-ingress-certificate.pem — The Signed Server Identity Certificate

This is the public TLS certificate for the Ingress Controller — the certificate presented to browsers and clients when they connect to SAS Viya over HTTPS.

  • What it does: Proves the identity of your SAS Viya server to external clients (browsers, APIs, etc.).
  • Signed by: Your organization's CA (the one referenced in sas-ingress-CA-certificate.pem).
  • Where it lives: Also stored in the Kubernetes secret sas-ingress-certificate, specified as tls.crt in customer-provided-ingress-certificate.yaml.
  • Requirement: Must be a wildcard or contain a SAN matching your Ingress FQDN.

3. 🏛sas-ingress-CA-certificate.pem — The CA Certificate (Trust Anchor)

This is the Certificate Authority (CA) certificate that signed sas-ingress-certificate.pem. It represents the root (or intermediate) of your PKI trust chain.

  • What it does: Allows SAS Viya's internal services (pods) to trust the Ingress certificate. Without this, internal pod-to-pod or pod-to-ingress communication will fail with x509: certificate signed by unknown authority errors.
  • When required: Needed when the CA that signed the Ingress certificate is not in the Mozilla trusted CA bundle (i.e., it's a private/corporate CA, not a public one like DigiCert or Let's Encrypt).
  • How it's provided: Via customer-provided-ca-certificates.yaml — you place PEM-encoded CA cert files under site-config/security/cacerts/ and reference them in that YAML.
  • What it updates: SAS Viya's internal trust stores across all pods (managed by the sas-certframe init container).
📌 If your Ingress cert is signed by a well-known public CA (e.g., Let's Encrypt, DigiCert), you may not need this file since those CAs are already in the Mozilla bundle included in SAS Viya's default trust store.

4. 🗃trustedcerts.pem — The Aggregated Trust Store

This is SAS Viya's compiled/aggregated trust store file — a single PEM file that concatenates all trusted CA certificates that SAS services use to verify TLS connections.

  • What it does: Acts as the unified CA bundle for all SAS Viya internal services. When a SAS service (e.g., CAS, SAS Logon) makes an outbound TLS connection, it validates the peer's certificate against this file.
  • Where it lives: Inside running containers at: 
    /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem
  • What it contains: Mozilla public CA certs + the Ingress CA chain + the SAS internal CA + any additional customer-provided CA certs.
  • Managed by: The sas-certframe init container, which builds this file automatically at pod startup by merging all the CA sources.
For the official SAS documentation on this, the SAS Help Center has a comprehensive guide: Configure Network Security and Encryption.
 

View solution in original post

Reply
1 REPLY 1
angian
SAS Employee angian
SAS Employee

Re: Understanding the difference between TLS certificates in Viya

Posted 04-08-2026 05:49 PM (220 views)  |   In reply to thesasuser

1. 🗝sas-ingress.key — The Private Key

This is the private key for the Ingress Controller (typically NGINX). It is the secret half of the public/private key pair used in TLS handshakes.

  • What it does: Used by the Ingress Controller to decrypt incoming HTTPS traffic from browsers/clients.
  • Where it lives: Stored inside a Kubernetes secret called sas-ingress-certificate (alongside the signed certificate).
  • How it's specified: In customer-provided-ingress-certificate.yaml as tls.key.
  • Important: Never expose this file. It must match the public certificate (sas-ingress-certificate.pem).

2. 📄 sas-ingress-certificate.pem — The Signed Server Identity Certificate

This is the public TLS certificate for the Ingress Controller — the certificate presented to browsers and clients when they connect to SAS Viya over HTTPS.

  • What it does: Proves the identity of your SAS Viya server to external clients (browsers, APIs, etc.).
  • Signed by: Your organization's CA (the one referenced in sas-ingress-CA-certificate.pem).
  • Where it lives: Also stored in the Kubernetes secret sas-ingress-certificate, specified as tls.crt in customer-provided-ingress-certificate.yaml.
  • Requirement: Must be a wildcard or contain a SAN matching your Ingress FQDN.

3. 🏛sas-ingress-CA-certificate.pem — The CA Certificate (Trust Anchor)

This is the Certificate Authority (CA) certificate that signed sas-ingress-certificate.pem. It represents the root (or intermediate) of your PKI trust chain.

  • What it does: Allows SAS Viya's internal services (pods) to trust the Ingress certificate. Without this, internal pod-to-pod or pod-to-ingress communication will fail with x509: certificate signed by unknown authority errors.
  • When required: Needed when the CA that signed the Ingress certificate is not in the Mozilla trusted CA bundle (i.e., it's a private/corporate CA, not a public one like DigiCert or Let's Encrypt).
  • How it's provided: Via customer-provided-ca-certificates.yaml — you place PEM-encoded CA cert files under site-config/security/cacerts/ and reference them in that YAML.
  • What it updates: SAS Viya's internal trust stores across all pods (managed by the sas-certframe init container).
📌 If your Ingress cert is signed by a well-known public CA (e.g., Let's Encrypt, DigiCert), you may not need this file since those CAs are already in the Mozilla bundle included in SAS Viya's default trust store.

4. 🗃trustedcerts.pem — The Aggregated Trust Store

This is SAS Viya's compiled/aggregated trust store file — a single PEM file that concatenates all trusted CA certificates that SAS services use to verify TLS connections.

  • What it does: Acts as the unified CA bundle for all SAS Viya internal services. When a SAS service (e.g., CAS, SAS Logon) makes an outbound TLS connection, it validates the peer's certificate against this file.
  • Where it lives: Inside running containers at: 
    /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem
  • What it contains: Mozilla public CA certs + the Ingress CA chain + the SAS internal CA + any additional customer-provided CA certs.
  • Managed by: The sas-certframe init container, which builds this file automatically at pod startup by merging all the CA sources.
For the official SAS documentation on this, the SAS Help Center has a comprehensive guide: Configure Network Security and Encryption.
 
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

Learn how to explore data assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 1 reply
  • ‎02-17-2026 12:35 PM
  • 433 views
  • 1 like
  • 2 in conversation