Enable ECC workload certificates#

About enabling ECC workload certificates#

Introduction#

If you want Istiod to create ECC instead of RSA workload certificates, you can enable ECC workload certificates for Istiod.

If you want Citadel (if installed) to create ECC workload certificates, you must use an ECC certificate for ca-cert.pem when plugging in CA certificates.

When to enable ECC workload certificates#

Enable ECC workload certificates when any of the following is true:

  • Your organization’s security and compliance policies require the use of ECC certificates for all workloads.

  • You want to take advantage of the benefits that ECC workload certificates provide.

Benefits of ECC#

These are some of the benefits of ECC:

  • Small ECC keys (stored in ECC certificates) have the equivalent strength of larger RSA keys. For instance, a 256-bit ECC key is roughly equivalent to a 3072-bit RSA key.

  • Smaller ECC keys mean less data is transmitted between the client and server during the mTLS handshake.

  • Key generation for ECC is substantially faster than for RSA.

  • ECC requires less CPU and memory than RSA when encrypting and decrypting keys.

Drawback of ECC#

The ECC signature verification can be computationally intensive and may be slower than RSA on some devices.

Supported ECC algorithm and curve#

ECC workload certificates created by Istiod and Citadel use the Elliptic Curve Digital Signature Algorithm (ECDSA) and curve P-256.

Enable ECC workload certificates for Istiod and re-create workload certificates#

Log in to the appropriate artifact registry with Helm and set the repository address#

Enable ECC workload certificates for Istiod#

  1. In a terminal window on your computer, make sure you’re in the Aspen Mesh Platform chart directory.

  2. Open your Aspen Mesh override values file (aspen-mesh-override-values.yaml) in a text editor.

  3. Copy the following information and paste it into the file:

    defaults:
      global:
        enableEccCertificates: true
    
  4. Save and close the file.

  5. Is Aspen Mesh already installed?

    Note

    Answer no if you were directed to this page while performing a clean installation of Aspen Mesh.

    • Yes:

      • Go to step 6.

    • No:

      • Stop. Continue performing the clean installation of Aspen Mesh.

  6. Set the AM_TAG environment variable to the version of Aspen Mesh that’s installed.

    Example

    $ export AM_TAG=1.21.6-am1
    
  7. Reconfigure Istiod:

    Kubernetes

    $ helm upgrade istiod oci://$AM_REPO/charts/istiod --version $AM_TAG \
        --namespace istio-system \
        --values aspen-mesh-override-values.yaml \
        --wait
    

    OpenShift

    $ helm upgrade istiod oci://$AM_REPO/charts/istiod --version $AM_TAG \
        --namespace istio-system \
        --values aspen-mesh-override-values.yaml \
        --set profile=openshift \
        --wait
    
  8. Restart the Istiod pods:

    $ kubectl rollout restart deployment istiod --namespace istio-system
    

Re-create all workload certificates managed by Istiod#

Note

Make sure yq 4.18.1 or later is installed before performing this task.

  1. In each namespace in which sidecar injection (either automatic or manual) is being used, restart all pods with sidecars:

    $ kubectl delete pods --namespace <namespaceName> \
        --selector security.istio.io/tlsMode=istio
    
  2. Set the AM_TAG environment variable to the version of Aspen Mesh that’s installed.

    Example

    $ export AM_TAG=1.21.6-am1
    
  3. Reconfigure the Istio ingress gateway:

    Kubernetes

    $ helm upgrade istio-ingress oci://$AM_REPO/charts/istio-ingress --version $AM_TAG \
        --namespace <ingressNamespaceName> \
        --values aspen-mesh-override-values.yaml \
        --wait
    

    OpenShift

    $ helm upgrade istio-ingress oci://$AM_REPO/charts/istio-ingress --version $AM_TAG \
        --namespace <ingressNamespaceName> \
        --values aspen-mesh-override-values.yaml \
        --set profile=openshift \
        --wait
    
  4. If you’re using the Istio egress gateway, reconfigure the Istio egress gateway:

    Kubernetes

    $ helm upgrade istio-egress oci://$AM_REPO/charts/istio-egress --version $AM_TAG \
        --namespace <egressNamespaceName> \
        --values aspen-mesh-override-values.yaml \
        --wait
    

    OpenShift

    $ helm upgrade istio-egress oci://$AM_REPO/charts/istio-egress --version $AM_TAG \
        --namespace <egressNamespaceName> \
        --values aspen-mesh-override-values.yaml \
        --set profile=openshift \
        --wait
    
  5. Inspect the workload certificate for any on-mesh non-gateway pod (or the on-mesh interface of any Istio gateway pod) to make sure it’s an ECC certificate (the value of the Public Key Algorithm field for an ECC certificate is id-ecPublicKey instead of rsaEncryption).