Ingress mTLS with Client Certificate from a Trusted CA


We are attempting to setup mTLS on our Ingress Gateway with Trusted client certificates.

  1. We have observed that the using the credentialName when the mode is MUTUAL does not seem to work.
  2. We specified the serverCertificate, privateKey and caCertificates and that does work but you can put anything in caCertificates and the request goes through. Istio acts like the caCertificates is complete ignored. e.g. I put a zero byte file name ca.crt in the /etc/istio/ingressgateway-ca-certs/ca.crt and it worked.

Is Istio ignoring the caCertificates the because the Client certificate is from a Trusted CA ?

Thank you.