Custom CA on istio 1.6.2

Hi, I’ve been trying to get the replicated control plane to work on Istio 1.6.2 with a custom CA by following the guide located at Some details on what I’ve done:

Cluster: Google Kubernetes Engine
Type: Private Cluster

  1. Deployed a private CA using
  2. Generated a certificate, exported the root and intermediate certificates for the CA
  3. Validated that all certificates can be linked up their chain (actually, even used it for a hello-world webhost just to be absolutely sure they work)
  4. Renamed all the files to the correct naming and created cacerts: ca-cert.pem, ca-key.pem, cert-chain.pem and root-cert.pem
  5. Tried to deploy istio using the manifests/examples/multicluster/values-istio-multicluster-gateways.yaml as per the guide

However, istiod continuously fails to work with the certificate and reports the following error:
Error: failed to create discovery service: failed to create CA: failed to create an istiod CA: certificate is not authorized to sign other certificates

I’ve tried swapping certificates to a legitimate wildcard certificate from GoDaddy but that failed as well. If I delete cacerts or use Istio’s sample certs, the deployment works. I did some digging and found that the sample ca-cert.pem provided with istioctl has the following which my custom CA cert and GoDaddy certificate does not have:

X509v3 Key Usage:
Certificate Sign

Could someone verify if this is a required condition for certificates to work with istiod? Is there an easier way to go about getting a custom CA to work with 1.6.2? My apologies if I missed this in the documentation somewhere, but if anyone could point it out to me, it would help alot, thanks!

I’ve resolved this, here is what I did, hope it helps someone:

  1. Switched to cfssl as the CA, you need the ability to modify key usage and extended key usage of the certs
  2. Generated a CA Cert (root-cert.pem) & Intermediate Cert according to this guide:
  3. Generated a Cert for Istio’s usage (ca-cert.pem & ca-key.pem). This was the extremely tricky part. The cert should have the Key Usage “Certificate Signing” and if you are using the same cfssl version that I am, add the Extended Key Usage “any”*
  4. Combine the above 3 certs into a cert-chain.pem file
  5. Use the 4 files to deploy cacerts as per the Istio guide

*I lack the expertise to explain the necessity behind the “any” Extended Key Usage but I got the clue from here: on jessedearing’s comment about RFC 5280. If any Extended Key Usage exists, it must conform to the exact usage of the Key. Therefore, without knowing more about Istio’s usage of the Key, I added the “any” value. Please note, this could be insecure.

1 Like

try generating root ca, intermediate ca, and cert chain using step certificate, it is more easier.

you can do something like:

step certificate create zufar-root-ca root-cert.pem root-key.pem --profile root-ca  --kty RSA --no-password --insecure --not-after 87600h --san
step certificate create zufar-intermediate-ca ca-cert.pem ca-key.pem --profile intermediate-ca --kty RSA --ca ./root-cert.pem --ca-key ./root-key.pem --no-password --insecure --not-after 43800h --san
step certificate bundle ca-cert.pem root-cert.pem cert-chain.pem

Hey Zufar,

Thanks for the reply, I actually tried smallstep first, but I could not modify the Key Usage and Key Extended Usage values.

I believe this is tracked here: