External CA key/cert expiration

jaid · February 18, 2020, 7:35pm

Hi there,

I have questions around the expiration of the external CA key/cert that’s plugged into Citadel.

I do not suppose we can follow the instructions on https://istio.io/docs/ops/configuration/security/root-transition/ exactly as written because they seem to be tailored to the built-in self-signed certs. Correct?
Is there a separate instruction page and/or script for external CAs?
Also, the page says “This may have some impact on your traffic” and then links to the Envoy hot restart page, which tells me that it’s designed to NOT drop connections. What is the “impact” then that the page is warning us about?
In general, whether or not we’re using an external CA, should we expect downtime when upgrading the signing cert/key? Or should updating the “cacerts” secret just work behind the scenes?

Thanks!

Topic		Replies	Views
Actions required for external CA key/cert to take effect? Security	2	768	May 29, 2020
Issues when Plugging in External CA Key and Certificate	0	626	February 12, 2020
'Upgrading' from citadel to istiod (istio 1.4 to 1.5) Security security	0	528	August 10, 2020
Expired root certificate Security	6	3684	June 19, 2019
Istio Sidecar trusts expired LE Root CA cert in trusted ca-certs (DST Root CA X3) security , release	0	767	November 12, 2021