Skip to content

SPIFFE trust domain certificates

In the context of Service mesh and Istio, sample certificates are used to demonstrate how a node (specifically Citadel acting as an Intermediate CA) can be configured with an existing Root Certificate.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

Trust Domain Configuration

The certificates utilize specific Trust Domains to segregate identities. This is explicitly defined in the Subject Alternative Name (SAN) of the workload certificates.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

  • Trust Domain "foo": Used for the workload foo. The corresponding SAN is spiffe://trust-domain-foo/ns/foo/sa/foo.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]
  • Trust Domain "bar": Used for the workload bar. The corresponding SAN is spiffe://trust-domain-bar/ns/bar/sa/bar.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

Certificate Hierarchy

The sample files illustrate a chain of trust where a Root CA signs an intermediate certificate, which in turn signs the workload certificates.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

  • Root CA: Represented by files such as root-cert.pem and root-cert-alt.pem.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]
  • Intermediate CA: The Citadel components (ca-cert.pem and ca-cert-alt.pem) act as the intermediate authority.^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]
  • Workload Certs: The end-entity certificates (workload-foo-cert.pem and workload-bar-cert.pem) are signed by the intermediate CA's private key (ca-cert.key).^[400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md]

Sources

  • 400-devops-07-monitoring-and-observability-k8s-istio-samples-certs-readme.md
  • Istio
  • [[Certificate Authority]]
  • [[Zero Trust Network]]
  • [[Subject Alternative Name]]