Question about istio-ca-secret stored as k8 secret

1.5 has now better security compared to previous versions because the key and cert arent stored as k8 secrets.

but istio-system has ca-key.pem in istio-ca-secret, does it mean that this key can be used to sign any cert that can be trusted inside the mesh?

if that is true then is it possible to keep this secret into memory instead of k8 secret?

Hi @deepak_deore
AFIK By default, Istio’s CA generates a self-signed root certificate and key, and uses them to sign the workload certificates Which are stored in secrets.

but not know much about keep why it is not in memory. but may be it make easy to do " Plugging in existing CA Certificates" or use external CA. not sure on this.

This is true, you could replace this pen with your own certificates generated with OpenSSL and then use them to create this secret. Istio CA will use them to sign the workloads certs. This way you could also rotate them when needed. More at

yeah, i am aware that this secret is used for custom ca.

1.5 now doesn’t keep certs as k8 secret which is great security improvement but keeping the root cacert as k8 secret makes it insecure, so i my question was more towards that, may be in future istio will have a way to provide custom ca cert more securely than using k8 secret

The k8s secret that stores the cacert is in the istio-system namespace. Which is not accessible from other namespaces. If we don’t want to sign CSR for a namespace, we can add a support to configure namespaces in Istiod. @Oliver