Skip to content

Istio plugin CA workflow

The Istio plugin CA workflow involves configuring Citadel (Istio's certificate authority) to function as an intermediate CA under an existing, operator-provided Root Certificate Authority.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md] This setup allows a specific root certificate, along with its corresponding signing certificates and keys, to be integrated into the Istio mesh.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

Key Components

This workflow requires specific artifacts to be present for Citadel to operate as the intermediate CA.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

  • Root CA: The top-level certificate (e.g., root-cert.pem) that acts as the trust anchor.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]
  • Intermediate Credentials: The certificate and key (e.g., ca-cert.pem and ca-key.pem) used by Citadel to sign workload certificates.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]
  • Certificate Chain: The file (e.g., cert-chain.pem) containing the chain of trust required for verification.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

Workload Certificate Generation

Once the CA hierarchy is established, Citadel uses the intermediate key to sign workload certificates that include specific SPIFFE identities.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

For example, a workload certificate for a service might include a URI Subject Alternative Name (SAN) such as spiffe://trust-domain-foo/ns/foo/sa/foo.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md] In this configuration, the workload certificate is signed by the intermediate ca-cert.key rather than a self-generated root.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

  • [[Zero trust network architecture]]
  • [[Public key infrastructure]]
  • Service Mesh

Sources

^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]