Actions required for external CA key/cert to take effect?

Hi there,

I’ve tried updating the cacerts secret a few times now and the only reliable way that I’ve found for the new certs to take effect in both the control plane and data plane pods is to restart the Citadel pod. Then, it takes about a minute for all the pods (in both planes) to get reissued new certs using the new CA key.

The step to delete the secret “istio.default” in the docs is not working for me. I’ve tried deleting it in the default namespace as well as in istio-system and my own application namespace, but to no avail.

Could someone please confirm that Citadel does need to restart when plugging in a new CA key/cert (including a new CA key/cert when replacing a soon-to-expire one)?

And if that’s the case, it follows that we cannot do this with live traffic coming in.

Thanks for the confirmation/correction.