# Private CA for Grafana Loki Client Authentication ## Generate CA Key/Certificate ```sh openssl genpkey -algorithm ED25519 -out loki-ca.key openssl req -new -config openssl.cnf -key loki-ca.key -x509 -out loki-ca.crt -days 3653 ``` ## Create SealedSecret ```sh kubectl create secret tls -n cert-manager loki-ca --cert loki-ca.crt --key loki-ca.key --dry-run=client -o yaml | kubeseal -o yaml > secrets.yaml ``` _Note_: the SealedSecret is stored in the _cert-manager_ namespace since it is used by a ClusterIssuer. ## Deploy ```sh kubectl apply -f . ```