Manually Provision server/client certs with Istio Citadel

Is there a way to manually provision client and server certificates with Istio Citadel?

Use case:

  • Plug in custom CA intermediate certs to Istio
  • Generate Client/Server certs via this same root of trust via Istio
  • Use these certs on external (and even internal) workloads from the cluster.

I get that istiod/istio agent do this automatically for mesh workloads, but It would make things much easier if it could generate these certs for external workloads i.e. ingress communications would fall under the same root of trust as the istio-secured, mTLS mesh.

@shankgan @Oliver I think we are going to support private CA?

Also Could you take a look at this Istio / Plug in CA Certificates?