1. get cfssl

brew install cfssl

1. generate a local CA

cfssl print-defaults csr | cfssl gencert -initca - | cfssljson -bare nomad-ca

1. create a cfssl.json config file

{ "signing": { "default": { "expiry": "87600h", "usages": ["signing", "key encipherment", "server auth", "client auth"] } } }

1. issue server certificates

echo '{}' | cfssl gencert -ca=nomad-ca.pem -ca-key=nomad-ca-key.pem -config=cfssl.json \ -hostname="server.global.nomad,localhost,127.0.0.1" - | cfssljson -bare server

1. issue client certificates

echo '{}' | cfssl gencert -ca=nomad-ca.pem -ca-key=nomad-ca-key.pem -config=cfssl.json \ -hostname="client.global.nomad,localhost,127.0.0.1" - | cfssljson -bare client

1. issue cli certificate

echo '{}' | cfssl gencert -ca=nomad-ca.pem -ca-key=nomad-ca-key.pem -profile=client \ - | cfssljson -bare cli

1. copy all those certificates on /etc/certs Nomad servers

1. change owner on /etc/certs

$ sudo chown -R nomad:nomad /etc/certs

1. copy CA certificate on trusted pki CA (each servers)

2. update the nomad config wit hthe following stanza

Require TLS

tls { http = true rpc = true

cafile = "nomad-ca.pem" certfile = "server.pem" key_file = "server-key.pem"

verifyserverhostname = false verifyhttpsclient = false }

1. restart nomad service

$ sudo service nomad restart

1. update traefik configuration nomad service endpoint address

2. update traefik configuration nomad service endpoint tls option to not check

CA