Integration of ISTIO with the existing Enterprise’s PKI infrastructure

Will there be a possibility of integrating ISTIO’s certificate management system with the existing Enterprise’s PKI infrastructure for Certificate management? Especially while handling root certificates which are used to sign workload certificates? (

Is it safe to leverage on ISTIO’s default Certificate Manager and self-signed certificates?

Any alternative solutions available for ISTIO’s Certificate management system?

When you say you want to integrate with Istios certificate management system, do you mean that:

  1. You want Istio to handle generating workload certificates with the your pre-existing root certificate?
  2. You want to have your pre-existing PKI handle generating workload certificates instead of Istio?

For 1. You’ll can consider creating an intermediate signing certificate for Istio. This signing certificate can use Name Constraints to limit the scope of certificates it is permitted to sign (reducing the risk for the rest of your infrastructure). This will work well with most authn/authz features with Istio out of the box. If you want to be able to authenticate connections between Istio-signed certificates and externally-signed certificates. See this page for the guide on plugging in an existing signing certificate and root certificate for Istio.

For 2. it depends on what your setup is. Do you currently use an open source tool as your certificate authority, like Vault? Or do you have something custom built-in. In either case, it’s possible to integrate any pre-existing certificate framework, but it will take some more work manual work in how you actually inject & configure istio proxies.

Hi Brian,

Thanks a lot for quick response. It’s very helpful.

Our point, from security standpoint, it’s always recommended to leverage on existing Enterprise’s PKI infrastructure for central management.

Two of the suggested solutions are good and can be explored further. So, Best recommendation is to leverage on central PKI solution (Enterprise’s existing PKI) for all the certificates – Root Certificate, workload certificates and its rotation.

In case, if any major challenges in the above approach, then, better to get root certificate from central PKI infrastructure and rest of the workload certificates can be signed by Istio using the provided root certificate. Instead of leveraging totally on Istio’s default certificate manager. So, this is what my observation on this thread. Once again, thanks a lot for your quick help.