Actions required for external CA key/cert to take effect?

Hi there,

I’ve tried updating the cacerts secret a few times now and the only reliable way that I’ve found for the new certs to take effect in both the control plane and data plane pods is to restart the Citadel pod. Then, it takes about a minute for all the pods (in both planes) to get reissued new certs using the new CA key.

The step to delete the secret “istio.default” in the docs is not working for me. I’ve tried deleting it in the default namespace as well as in istio-system and my own application namespace, but to no avail.

Could someone please confirm that Citadel does need to restart when plugging in a new CA key/cert (including a new CA key/cert when replacing a soon-to-expire one)?

And if that’s the case, it follows that we cannot do this with live traffic coming in.

Thanks for the confirmation/correction.

which istio version you used?

I try https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/ by using istio 1.6. And I find if I create cacerts after istio installation, it can not take effect. And the httpbin will only return 2 cert (cert and ca cert ) by using command:

"sleep 20; kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c istio-proxy -n foo -- openssl s_client -showcerts -connect httpbin.foo:8000 > httpbin-proxy-cert.txt"

I try to restart istiod pod, restart httpbin, the httpbin-proxy-cert.txt only include 2 cert.

After I redeploy httpbin, httpbin-proxy-cert.txt can return 3 certs (add root CA)

But I don’t think redeploy httpbin is reasonable, Any steps I do wrong?

I was on 1.4.2, I think. Sorry, I have not tried it on 1.5.* or later. Any progress since your last post though?