Certificate trust chain validation¶
Certificate trust chain validation is the process of verifying a certificate's authenticity by establishing a chain of trust up to a trusted Root Certificate Authority (CA).^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]
This validation is a critical component of Public Key Infrastructure (PKI), often used in service meshes like Istio to secure communication between workloads. In these systems, intermediate authorities—such as Citadel (now often referred to as Istiod)—act as an intermediate CA under a Root CA to manage workload certificates^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md].
Validation Components¶
The validation process relies on a structured set of files that establish the identity of the certificate holder and the authority that issued it.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md] These typically include:
- Root CA Certificate (
root-cert.pem): The top-most, trusted certificate that anchors the trust chain^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]. - Intermediate CA Certificate (
ca-cert.pem): The certificate issued by the Root CA to an intermediate authority (e.g., Citadel)^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]. - Workload Certificate: The end-entity certificate assigned to a specific service or workload, often containing a Subject Alternative Name (SAN) such as a URI (e.g.,
spiffe://trust-domain-foo/ns/foo/sa/foo)^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]. - Certificate Trust Chain (
cert-chain.pem): A file containing the sequence of certificates required to link the workload certificate to the root CA^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md].
Related Concepts¶
- [[Public Key Infrastructure]]
- [[Mutual TLS]]
- SPIFFE
Sources¶
^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]