Is it possible to examine the mtls certificate in istio 1.5

in 1.4, citadel would write the certs to secrets (and apparently to /etc/certs in istio-proxy of a given pod), so you could view the cert to see the principal, the expiration, etc. with 1.5, certs are no longer written to secrets or to /etc/certs, so is there somewhere I can view the cert?

The certificate can be viewed through the openssl s_client command. The following example command retrieves the certificate of an example service httpbin (the details can be found in https://istio.io/docs/tasks/security/plugin-ca-cert/#verifying-the-certificates).

kubectl exec (kubectl get pod -l app=sleep -n foo -o jsonpath={.items…metadata.name}) -c istio-proxy -n foo – openssl s_client -showcerts -connect httpbin.foo:8000 > httpbin-proxy-cert.txt

1 Like

I think it’s in the config dump as well?

this is perfect, thanks!

what’s the config dump?

edit:

found istioctl proxy-config command, but I don’t see anything that immediately looks like it would provide a dump of the certificate. is there a specific command you know of?

https://github.com/istio/istio/wiki/Troubleshooting-Istio can get the raw config dump

istioctl proxy-config secret will get this as well

1 Like