Suggestion:

Implement functionality that allows users to replace the auto-generated gRPC server certificates with customer-defined certificates. This feature would provide users with greater control over certificate handling, enhancing security compliance and operational flexibility. The current design uses auto-generated, ephemeral certificates signed by a custom Root CA, which some environments find challenging due to automated security scans and strict compliance frameworks.

Current Behavior:

Currently utilizes a custom Root CA to sign dynamically generated one-time certificates on each server start. These certificates are temporary and not used as a direct replacement for server identity, aligning with the design principle of maintaining dynamic identities.

Proposed Behaviour:

Introduce a feature to configure a customer-defined certificate to replace the auto-generated gRPC server certificate. This change would involve an option in the configuration to prevent the generation of new certificates at each server startup and use the specified static certificate instead.