Is it secure to have only external server certificate on Gateway?

Using Istio 1.11. I’ve got these external certificates: server certificate, private key, intermediate cert, and root cert.

I have placed the server certificate at the Gateway level as follows:

kind: Gateway
  name: mygateway
    istio: ingressgateway 
  - port:
      number: 443
      name: https
      protocol: HTTPS
      mode: SIMPLE
      credentialName: tls-secret

Is this secure and does it mean that from the Gateway to the pod it would fall back on MTLS or there is no encryption all the way to the pod? Or do I need to somehow implement my external cacerts for MTLS? I’m not finding any documentation on this.

With this approach, when showing the certs with openssl:

openssl s_client -showcerts -servername -connect

I am getting these errors:

20:unable to get local issuer certificate
21:unable to verify the first certificate

Did you follow the steps on Istio / Secure Gateways? The certificate you configured here “tls-secret” is used for external client to TLS to gateway. Gateway to pod mTLS is automatically set up (same as any other in-mesh connections).

1 Like

Great advice. Thank you