Skip to content

Istio Citadel intermediate CA configuration

In an Istio Service mesh, the Citadel component can be configured to operate as an intermediate Certificate Authority (CA). This configuration allows Citadel to use a pre-generated, existing root certificate and signing key rather than generating them itself.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

By operating in this mode, Citadel sits hierarchically beneath the specified root CA.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md] This setup enables operators to integrate Istio's certificate management into an existing Public Key Infrastructure (PKI) or meet specific organizational compliance requirements regarding root key material.

Required artifacts

To configure Citadel as an intermediate CA, operators must provide the following cryptographic artifacts^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]:

  • Root CA Certificate: The Self-Signed Certificate of the root authority (e.g., root-cert.pem).
  • Intermediate Certificate: The certificate for the intermediate CA (e.g., ca-cert.pem).
  • Intermediate Private Key: The private key corresponding to the intermediate certificate (e.g., ca-key.pem).
  • Certificate Chain: A file containing the trust chain (e.g., cert-chain.pem), which typically bundles the intermediate and root certificates.

Workload certificate generation

Once configured, the Citadel intermediate CA signs workload certificates for the services in the mesh^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]. These workload certificates are signed using the intermediate CA's private key.

Each workload certificate includes a Subject Alternative Name (SAN) URI that identifies the workload's identity within the trust domain^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]. The format of this identity generally follows the structure: spiffe://<trust-domain>/ns/<namespace>/sa/<service-account>

For example, a workload in namespace foo with service account foo might receive a certificate with the SAN spiffe://trust-domain-foo/ns/foo/sa/foo^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md].

  • Istio
  • [[Public Key Infrastructure]]
  • [[Certificate Authority]]

Sources

^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]