Is it possible to examine the mtls certificate in istio 1.5

in 1.4, citadel would write the certs to secrets (and apparently to /etc/certs in istio-proxy of a given pod), so you could view the cert to see the principal, the expiration, etc. with 1.5, certs are no longer written to secrets or to /etc/certs, so is there somewhere I can view the cert?

The certificate can be viewed through the openssl s_client command. The following example command retrieves the certificate of an example service httpbin (the details can be found in

kubectl exec (kubectl get pod -l app=sleep -n foo -o jsonpath={.items…}) -c istio-proxy -n foo – openssl s_client -showcerts -connect > httpbin-proxy-cert.txt

1 Like

I think it’s in the config dump as well?

this is perfect, thanks!

what’s the config dump?


found istioctl proxy-config command, but I don’t see anything that immediately looks like it would provide a dump of the certificate. is there a specific command you know of? can get the raw config dump

istioctl proxy-config secret will get this as well

1 Like