You reference this file in your API server start parameters using the --client-ca-file flag.
For testing or private clusters, you might generate your own using tools like cfssl or openssl : Initialize a CA with cfssl gencert -initca ca-csr.json . clientca.pem download