Hey folks, new here - go easy please.
I’m trying to help a company’s security with their new Istio deployment(s) and today their curious about centralized management and monitoring of certificate policies. Could an external certificate manager (e.g. Venafi) manage or monitor (at a minimum) Istio certs?
Thanks in advance.
Hi, Luke, and welcome!
I have heard anecdotally that Venafi isn’t ideal for issuing certs directly for Istio (because of the number of certs and frequency of rotation).
So I believe the typical use case is to use Venafi to generate a root cert and plug that root cert into Citadel (see docs here: https://istio.io/docs/tasks/security/citadel-config/plugin-ca-cert/ )