Pod’s certificate chain has four certificates, namely, the certificate of the current pod, the intermediate certificate of cluster1, the root certificate, and the root certificate. Why does the root certificate need to be added twice?
The pod’s certificate chain gained by command “istioctl proxy-config secret helloworld-v1-b6c45f55-thwp9.sample -o json | jq -r ‘.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes’ | base64 --decode”.
I refer to the doc “Istio / Plug in CA Certificates”, create the cluster1 and cluster2 cacerts secrets, then install istio in these two cluster, and install helloworld-v1 deploy.
I looked at the source code, the code to generate the certificate chain is as follows, and the resulting certificate chain does have two root certificates:
// security/pkg/server/ca/server.go
if certSigner == "" {
cert, signErr = s.ca.Sign([]byte(request.Csr), certOpts)
} else {
serverCaLog.Debugf("signing CSR with cert chain")
respCertChain, signErr = s.ca.SignWithCertChain([]byte(request.Csr), certOpts)
}
if signErr != nil {
serverCaLog.Errorf("CSR signing error: %v", signErr.Error())
s.monitoring.GetCertSignError(signErr.(*caerror.Error).ErrorType()).Increment()
return nil, status.Errorf(signErr.(*caerror.Error).HTTPErrorCode(), "CSR signing error (%v)", signErr.(*caerror.Error))
}
if certSigner == "" {
respCertChain = []string{string(cert)}
if len(certChainBytes) != 0 {
respCertChain = append(respCertChain, string(certChainBytes))
serverCaLog.Debugf("Append cert chain to response, %s", string(certChainBytes))
}
}
if len(rootCertBytes) != 0 {
respCertChain = append(respCertChain, string(rootCertBytes))
}
response := &pb.IstioCertificateResponse{
CertChain: respCertChain,
}
s.monitoring.Success.Increment()
serverCaLog.Debugf("CSR successfully signed, sans %v.", caller.Identities)
return response, nil