Good practices in handling CA (certificate authority)


I am running a microk8s cluster with 3 nodes on which I am setting up MongoDB Kubernetes Community Operator according to a guidance from here. When it comes to securing the Replica Set with TLS, then it’s stated that a I should:

[…] generate a CA certificate, or use your own. […]

I wonder now if in a microk8s cluster it is now good practice to use the ca.crt from /var/snap/microk8s/current/certs/ca.crt which I prior should change by adding the subject alt names to the csr.conf (DNS1 = xyz, …)? Is this meant like this? Or rather creating a new CA from scratch and use this CA only for the purpose of MongoDB?

Latter I tried already, but I am struggling quite a bit with openssl.

Any hints, ideas, comments are highly appreciated.