ISTIO_MUTUAL for gateway

istio version: 1.5.2

kubernetes version: 1.17

we followed the document provied in the link instead of providing example pem file we created our own pem certificate.

  1. How certificates are generated
    we used the script available in the link for the generation of the certificate and created we created root , intermediate-ca, server certificate and client certificate

  2. Command used to create secret
    kubectl create secret generic cacerts -n istio-system --from-file=2_intermediate/certs/ca-cert.pem --from-file=2_intermediate/private/ca-key.pem --from-file=1_root/certs/root-cert.pem --from-file=2_intermediate/certs/cert-chain.pem

  3. gateway
    In the gateway configuration we mentioned host as * and mode as “ISTIO_MUTUAL”

    • hosts:
    • ‘*’
      name: https
      number: 443
      protocol: HTTPS
      mode: ISTIO_MUTUAL
  4. curl command for testing the configuration

    curl -v --cacert 2_intermediate/certs/ca-cert.pem --cert 4_client/certs/ --key 4_client/private/

    Initializing NSS with certpath: sql:/etc/pki/nssdb

  • CAfile: 2_intermediate/certs/ca-chain.cert.pem
    CApath: none
  • Server certificate:
  •   subject: (nil)
  •   start date: Jun 10 03:14:43 2020 GMT
  •   expire date: Sep 08 03:14:43 2020 GMT
  •   common name: (nil)
  •   issuer:,O=Dis,ST=Denial,C=US
  • Peer’s certificate issuer has been marked as not trusted by the user.
  • Closing connection 0
  1. ingress gateway log having error

[Envoy (Epoch 0)] [2020-06-10 06:53:51.096][19][debug][http] [external/envoy/source/common/http/] [C1][S5834571573276687585] request end stream
[Envoy (Epoch 0)] [2020-06-10 06:53:51.096][19][debug][admin] [external/envoy/source/server/http/] [C1][S5834571573276687585] request complete: path: /stats?usedonly&filter=server.state
[Envoy (Epoch 0)] [2020-06-10 06:53:51.097][19][debug][http] [external/envoy/source/common/http/] [C1][S5834571573276687585] encoding headers via codec (end_stream=false):
‘:status’, ‘200’
‘content-type’, ‘text/plain; charset=UTF-8’
‘cache-control’, ‘no-cache, max-age=0’
‘x-content-type-options’, ‘nosniff’
‘date’, ‘Wed, 10 Jun 2020 06:53:51 GMT’
‘server’, ‘envoy’

[Envoy (Epoch 0)] [2020-06-10 06:53:51.829][30][debug][filter] [external/envoy/source/extensions/filters/listener/tls_inspector/] tls inspector: new connection accepted
[Envoy (Epoch 0)] [2020-06-10 06:53:51.957][30][debug][filter] [external/envoy/source/extensions/filters/listener/tls_inspector/] tls:onServerName(), requestedServerName:
[Envoy (Epoch 0)] [2020-06-10 06:53:51.957][30][debug][conn_handler] [external/envoy/source/server/] [C26] new connection
[Envoy (Epoch 0)] [2020-06-10 06:53:51.959][30][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/] [C26] handshake expecting read
[Envoy (Epoch 0)] [2020-06-10 06:53:51.959][30][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/] [C26] handshake expecting read
[Envoy (Epoch 0)] [2020-06-10 06:53:51.961][30][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/] [C26] handshake error: 1
[Envoy (Epoch 0)] [2020-06-10 06:53:51.961][30][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/] [C26] TLS error: 268436504:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA
[Envoy (Epoch 0)] [2020-06-10 06:53:51.961][30][debug][connection] [external/envoy/source/common/network/] [C26] closing socket: 0

The problem we faced is you have to give the complete chain in while creating the secret. We use SIMPLE for the TLS settings but hopefully this would work for ISTIO_MUTUAL as well.

assuming your cert name is mycert.pfx

here is the commands to get the complete chain

openssl pkcs12 -in mycert.pfx -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.certs.pem

here is the key command. open the pem and remove the BAG attributes.

openssl pkcs12 -in mycert.pfx -nocerts -nodes -out mycert_key.pem

so your secret command would look like this

kubectl create -n istio-system secret generic gkegatewaysecret \
    --from-file=key=./mycert_key.pem \

your gateway yaml would look something like this

kind: Gateway
  name: ingress-gateway
    istio: ingressgateway # use Istio default gateway implementation
  - port:
      number: 443
      name: https
      protocol: HTTPS
      mode: ISTIO_MUTUAL
      credentialName: "gkegatewaysecret"
    - "*"

Hope that works.

@Sabyasachi2k Thanks for the response ,

please find the below link …it is mentioned not to provide any TLSOptions in the gateway for the mode istio_mutual.

But in the above example we are passing credential name .

please help me in the understanding of the same .

You are correct when giving the ISTIO_MUTUAL it is not needed to give the certs. Sds takes care of it. We have not used this option. We used SIMPLE and used the credential name and configured the mesh to make mTLS enabled for intra mesh communication.

thank you @Sabyasachi2k for the info.

can you share any example document or procedure for the above mentioned step. it would be really helpful.

I already gave that in my previous reply. Let me know if that helps