Plugging in existing CA Certificates in istio1.5

Hi All,

I am bit confused with the behavior of istio1.5 ,when it comes to changing the certificate.
I have installed istio with the following command and then created the sample bookinfo example
istioctl manifest apply --set profile=demo

I debugged the certificate and it has following values
Issuer: O=cluster.local

Then I have Plugging in existing CA Certificates and executed the following command
istioctl manifest apply --set,

I was expecting istiod to be redeployed but it’s not instead I see the following error in istiod logs

2020-04-05T16:57:23.696459Z info grpc: Server.Serve failed to complete security handshake from “”: remote error: tls: unknown certificate authority

kubectl get pods -n istio-system


Once I restart all these component I dont see any exception.I was expecting that as it is using default sds ,it should be reflected automatically.

At the same my certificates are having the same value ,I was expecting it to change at the runtime.But it did not
Issuer: O=cluster.local

Then I deleted the pods in bookinfo and see the issuer change.
Issuer: C=US, ST=California, L=Sunnyvale, O=Istio, CN=Istio CA

I would be thankful for any kind of explanation

As shown on, plugging in an existing CA certificate should take place at the installation time.

Hi leitlang,

Thanks for your answer.Is it possible to change the expiration time of the token…?


Which token do you plan to change its expiration time? The token issuer should be able to reissue a new token with a new expiration time.

sorry I was not very clear while asking .I mean to say defaul certificate expiration time.At the moment it is 24hrs.

The certificate expiration time may be customized. Examples can be found in

Hi Leitlang.

Thanks a lot.