Is it secure to have only external server certificate on Gateway?

morariu · October 2, 2022, 8:55am

Using Istio 1.11. I’ve got these external certificates: server certificate, private key, intermediate cert, and root cert.

I have placed the server certificate at the Gateway level as follows:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway 
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: tls-secret
    hosts:
    - example.com

Is this secure and does it mean that from the Gateway to the pod it would fall back on MTLS or there is no encryption all the way to the pod? Or do I need to somehow implement my external cacerts for MTLS? I’m not finding any documentation on this.

morariu · October 2, 2022, 9:06am

With this approach, when showing the certs with openssl:

openssl s_client -showcerts -servername example.com -connect example.com:443

I am getting these errors:

20:unable to get local issuer certificate
21:unable to verify the first certificate

liminwang · October 3, 2022, 6:29am

Did you follow the steps on Istio / Secure Gateways? The certificate you configured here “tls-secret” is used for external client to TLS to gateway. Gateway to pod mTLS is automatically set up (same as any other in-mesh connections).

morariu · November 27, 2022, 1:30pm

Great advice. Thank you

Topic		Replies	Views
Default SSL on Ingress Gateway Security	12	7828	August 21, 2019
Mutual TLS with External Services Security	1	812	April 29, 2020
Istio Gateway without mTLS	1	519	October 11, 2019
Ingress Gateway using Let's Encrypt include intermediate certificate Security	0	686	November 10, 2021
Istiod is behind Gateway Handling TLS Networking	0	578	June 7, 2021

Is it secure to have only external server certificate on Gateway?

Related topics