How to force ISTIO_MUTUAL towards an external non-Istio workload with common trust anchor?


I have a service exposed on the internet at It is an Nginx configured for mTLS. The root certificate is the same as I used for generating the CAs of my Istio (1.12) meshes.

Now I want the workloads in my Istio meshes to be able to communicate with using the autogenerated certificates from istiod.

I have added as a ServiceEntry, and then tried to enforce ISTIO_MUTUAL using a DestinationRule. When running curl towards, from the main container of a meshed pod, the Istio proxy still not provides the autogenerated certificates.

The logs of the sidecar proxy (log level: debug) states this:

envoy connection	X509_verify_cert: certificate verification error at depth 1: unable to get local issuer certificate

Which I guess is an indication of Istio proxy not considering its /run/secrets/istio/root-cert.pem.

Found a solution, heavily inspired by this article: