Manually Provision server/client certs with Istio Citadel

darkdatter · March 23, 2021, 2:52pm

Is there a way to manually provision client and server certificates with Istio Citadel?

Use case:

Plug in custom CA intermediate certs to Istio
Generate Client/Server certs via this same root of trust via Istio
Use these certs on external (and even internal) workloads from the cluster.

I get that istiod/istio agent do this automatically for mesh workloads, but It would make things much easier if it could generate these certs for external workloads i.e. ingress communications would fall under the same root of trust as the istio-secured, mTLS mesh.

William_Li · March 27, 2021, 7:58pm

@shankgan @Oliver I think we are going to support private CA?

Also Could you take a look at this Istio / Plug in CA Certificates?

Topic		Replies	Views
Centrally Manage Citadel Certificates? Security	1	815	December 11, 2019
Custom client certificates for service to service calls Security	8	2770	April 3, 2019
Why not use cert-manager to manage ca cert for istio-sidecar-injector Security	2	722	November 19, 2019
Istio Multicluster Custom CA Issues Security	9	2064	April 20, 2020
Providing additional root certificates in caCertificates in meshConfig doesn't work	2	1074	June 28, 2023

Manually Provision server/client certs with Istio Citadel

Related Topics