Custom CA on istio 1.6.2

Hi, I’ve been trying to get the replicated control plane to work on Istio 1.6.2 with a custom CA by following the guide located at https://istio.io/latest/docs/setup/install/multicluster/gateways/. Some details on what I’ve done:

Cluster: Google Kubernetes Engine
Type: Private Cluster

  1. Deployed a private CA using https://github.com/smallstep/certificates
  2. Generated a certificate, exported the root and intermediate certificates for the CA
  3. Validated that all certificates can be linked up their chain (actually, even used it for a hello-world webhost just to be absolutely sure they work)
  4. Renamed all the files to the correct naming and created cacerts: ca-cert.pem, ca-key.pem, cert-chain.pem and root-cert.pem
  5. Tried to deploy istio using the manifests/examples/multicluster/values-istio-multicluster-gateways.yaml as per the guide

However, istiod continuously fails to work with the certificate and reports the following error:
Error: failed to create discovery service: failed to create CA: failed to create an istiod CA: certificate is not authorized to sign other certificates

I’ve tried swapping certificates to a legitimate wildcard certificate from GoDaddy but that failed as well. If I delete cacerts or use Istio’s sample certs, the deployment works. I did some digging and found that the sample ca-cert.pem provided with istioctl has the following which my custom CA cert and GoDaddy certificate does not have:

X509v3 Key Usage:
Certificate Sign

Could someone verify if this is a required condition for certificates to work with istiod? Is there an easier way to go about getting a custom CA to work with 1.6.2? My apologies if I missed this in the documentation somewhere, but if anyone could point it out to me, it would help alot, thanks!

I’ve resolved this, here is what I did, hope it helps someone:

  1. Switched to cfssl as the CA, you need the ability to modify key usage and extended key usage of the certs
  2. Generated a CA Cert (root-cert.pem) & Intermediate Cert according to this guide: https://www.mikenewswanger.com/posts/2018/kubernetes-pki/
  3. Generated a Cert for Istio’s usage (ca-cert.pem & ca-key.pem). This was the extremely tricky part. The cert should have the Key Usage “Certificate Signing” and if you are using the same cfssl version that I am, add the Extended Key Usage “any”*
  4. Combine the above 3 certs into a cert-chain.pem file
  5. Use the 4 files to deploy cacerts as per the Istio guide

*I lack the expertise to explain the necessity behind the “any” Extended Key Usage but I got the clue from here: https://github.com/jetstack/cert-manager/issues/2407 on jessedearing’s comment about RFC 5280. If any Extended Key Usage exists, it must conform to the exact usage of the Key. Therefore, without knowing more about Istio’s usage of the Key, I added the “any” value. Please note, this could be insecure.

1 Like

try generating root ca, intermediate ca, and cert chain using step certificate, it is more easier.

you can do something like:

step certificate create zufar-root-ca root-cert.pem root-key.pem --profile root-ca  --kty RSA --no-password --insecure --not-after 87600h --san zufardhiyaulhaq.com
step certificate create zufar-intermediate-ca ca-cert.pem ca-key.pem --profile intermediate-ca --kty RSA --ca ./root-cert.pem --ca-key ./root-key.pem --no-password --insecure --not-after 43800h --san zufardhiyaulhaq.com
step certificate bundle ca-cert.pem root-cert.pem cert-chain.pem

Hey Zufar,

Thanks for the reply, I actually tried smallstep first, but I could not modify the Key Usage and Key Extended Usage values.

I believe this is tracked here: https://github.com/smallstep/cli/issues/110