Centrally Manage Citadel Certificates?

Hey folks, new here - go easy please.

I’m trying to help a company’s security with their new Istio deployment(s) and today their curious about centralized management and monitoring of certificate policies. Could an external certificate manager (e.g. Venafi) manage or monitor (at a minimum) Istio certs?

Thanks in advance.

Hi, Luke, and welcome!

I have heard anecdotally that Venafi isn’t ideal for issuing certs directly for Istio (because of the number of certs and frequency of rotation).

So I believe the typical use case is to use Venafi to generate a root cert and plug that root cert into Citadel (see docs here: https://istio.io/docs/tasks/security/citadel-config/plugin-ca-cert/ )

1 Like