Skip to content

Intermediate certificate authority pattern

The Intermediate certificate authority pattern is a security architecture model where a subordinate Certificate Authority (CA)—referred to as an intermediate CA—is configured to operate under the authority of a trusted Root CA.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]

Function

In this deployment structure, the intermediate CA acts as the primary signing authority for the system. It uses its own private key to issue certificates to endpoints or workloads, while its own validity is anchored by the Root CA certificate^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]. This creates a chain of trust where the Root CA certifies the intermediate CA, and the intermediate CA certifies the leaf resources.

Key Components

  • Root Certificate: The top-level root-cert.pem serves as the trust anchor^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md].
  • Intermediate Certificate: The ca-cert.pem and corresponding ca-key.pem are used to sign workload certificates^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md].
  • Certificate Chain: A cert-chain.pem file is provided to establish the full path of trust from the workload back to the root^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md].

Example Implementation

A common application of this pattern is found within Service mesh technologies like Istio. In this context, a component named Citadel can be configured to function as an intermediate CA^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]. Citadel manages the signing of workload certificates (e.g., workload-foo-cert.pem) using the intermediate key, while operators provide the existing root certificate to establish the trust domain^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md].

Sources

^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]

  • [[Public Key Infrastructure]]
  • Istio
  • [[Zero Trust network architecture]]