Hello,
We configured Citadel with an external CA Key/Cert as described in https://istio.io/docs/tasks/security/plugin-ca-cert/. One of the things that we noticed was the Certificate does not have the regular 'Common Name' field. Instead the identity of the Service (SPIFFE) is present on the Subject Alternate Name (SAN) on the certificate.
We can see this even on the example listed here: https://istio.io/help/ops/security/keys-and-certs/
When researching more on this, came across the list of all Citadel supported config flags here: https://istio.io/docs/reference/commands/istio_ca/, and one of them specifically related to Common Name is '--experimental-dual-use'. As per the documentation, setting this flag will enable the mTLS certificate to also have the 'Common Name' in addition to the SAN.
Few queries related to this:
1. Is there any reason why SAN and not Common Name is populated and used by default? Given that each mTLS certificate will have only one identity corresponding to a Service Account, why is SAN and not Common Name being used as the primary identifier?
2. The attribute to enable Common Name generation '--experimental-dual-use') seems to be experimental. Is there any reason for it being experimental, and could it be potentially removed from future releases of Istio?
Istio version tested this on: v1.1.7
-Regards