Plug in CA Certificates
This task shows how administrators can configure the Istio certificate authority (CA) with a root certificate, signing certificate and key.
By default the Istio CA generates a self-signed root certificate and key and uses them to sign the workload certificates. To protect the root CA key, you should use a root CA which runs on a secure machine offline, and use the root CA to issue intermediate certificates to the Istio CAs that run in each cluster. An Istio CA can sign workload certificates using the administrator-specified certificate and key, and distribute an administrator-specified root certificate to the workloads as the root of trust.
The following graph demonstrates the recommended CA hierarchy in a mesh containing two clusters.
This task demonstrates how to generate and plug in the certificates and key for the Istio CA. These steps can be repeated to provision certificates and keys for Istio CAs running in each cluster.
Plug in certificates and key into the cluster
In the top-level directory of the Istio installation package, create a directory to hold certificates and keys:
Generate the root certificate and key:
This will generate the following files:
root-cert.pem
: the generated root certificateroot-key.pem
: the generated root keyroot-ca.conf
: the configuration foropenssl
to generate the root certificateroot-cert.csr
: the generated CSR for the root certificate
For each cluster, generate an intermediate certificate and key for the Istio CA. The following is an example for
cluster1
:This will generate the following files in a directory named
cluster1
:ca-cert.pem
: the generated intermediate certificatesca-key.pem
: the generated intermediate keycert-chain.pem
: the generated certificate chain which is used by istiodroot-cert.pem
: the root certificate
You can replace
cluster1
with a string of your choosing. For example, with the argumentcluster2-cacerts
, you can create certificates and key in a directory calledcluster2
.If you are doing this on an offline machine, copy the generated directory to a machine with access to the clusters.
In each cluster, create a secret
cacerts
including all the input filesca-cert.pem
,ca-key.pem
,root-cert.pem
andcert-chain.pem
. For example, forcluster1
:Return to the top-level directory of the Istio installation:
Deploy Istio
Deploy Istio using the
demo
profile.Istio’s CA will read certificates and key from the secret-mount files.
Deploying example services
Deploy the
httpbin
andcurl
sample services.Deploy a policy for workloads in the
foo
namespace to only accept mutual TLS traffic.
Verifying the certificates
In this section, we verify that workload certificates are signed by the certificates that we plugged into the CA.
This requires you have openssl
installed on your machine.
Sleep 20 seconds for the mTLS policy to take effect before retrieving the certificate chain of
httpbin
. As the CA certificate used in this example is self-signed, theverify error:num=19:self signed certificate in certificate chain
error returned by the openssl command is expected.Parse the certificates on the certificate chain.
Verify the root certificate is the same as the one specified by the administrator:
Verify the CA certificate is the same as the one specified by the administrator:
Verify the certificate chain from the root certificate to the workload certificate:
Cleanup
Remove the certificates, keys, and intermediate files from your local disk:
Remove the secret
cacerts
:Remove the authentication policy from the
foo
namespace:Remove the sample applications
curl
andhttpbin
:Uninstall Istio from the cluster:
Remove the namespace
foo
andistio-system
from the cluster: