Enable ECC workload certificates#

About enabling ECC workload certificates#

Introduction#

If you want Istiod to create ECC instead of RSA workload certificates, you can enable ECC workload certificates for Istiod.

If you want Citadel (if installed) to create ECC workload certificates, you must use an ECC certificate for ca-cert.pem when plugging in CA certificates.

When to enable ECC workload certificates#

Enable ECC workload certificates when any of the following is true:

  • Your organization’s security and compliance policies require the use of ECC certificates for all workloads.

  • You want to take advantage of the benefits that ECC workload certificates provide.

Benefits of ECC#

These are some of the benefits of ECC:

  • Small ECC keys (stored in ECC certificates) have the equivalent strength of larger RSA keys. For instance, a 256-bit ECC key is roughly equivalent to a 3072-bit RSA key.

  • Smaller ECC keys mean less data is transmitted between the client and server during the mTLS handshake.

  • Key generation for ECC is substantially faster than for RSA.

  • ECC requires less CPU and memory than RSA when encrypting and decrypting keys.

Drawback of ECC#

The ECC signature verification can be computationally intensive and may be slower than RSA on some devices.

Supported ECC algorithm and curve#

ECC workload certificates created by Istiod and Citadel use the Elliptic Curve Digital Signature Algorithm (ECDSA) and curve P-256.

Enable ECC workload certificates for Istiod and re-create workload certificates#

Enable ECC workload certificates for Istiod#

  1. Open your Aspen Mesh override values file (aspen-mesh-override-values.yaml) in a text editor.

  2. Copy the following information and paste it into the file:

    global:
      enableEccCertificates: true
    
  3. Save and close the file.

  4. Is Aspen Mesh already installed?

    Note

    Answer no if you were directed to this page while performing a clean installation of Aspen Mesh.

    • Yes:

      • Go to step 5.

    • No:

      • Stop. Continue performing the clean installation of Aspen Mesh.

  5. Change to the Aspen Mesh release directory.

  6. Reconfigure Istiod:

    $ helm upgrade istiod manifests/charts/istio-control/istio-discovery \
        --namespace istio-system \
        --values aspen-mesh-override-values.yaml \
        --wait
    
  7. Restart the Istiod pods:

    $ kubectl rollout restart deployment istiod --namespace istio-system
    

Re-create all workload certificates managed by Istiod#

Note

Make sure yq 4.18.1 or later is installed before performing this task.

  1. In each namespace in which sidecar injection (either automatic or manual) is being used, restart all pods with sidecars:

    $ kubectl delete pods --namespace <namespaceName> \
        --selector security.istio.io/tlsMode=istio
    
  2. Reconfigure the Istio ingress gateway:

    $ helm upgrade istio-ingress manifests/charts/gateways/istio-ingress \
        --namespace <ingressNamespaceName> \
        --values aspen-mesh-override-values.yaml \
        --wait
    
  3. If you’re using the Istio egress gateway, reconfigure the Istio egress gateway:

    $ helm upgrade istio-egress manifests/charts/gateways/istio-egress \
        --namespace <egressNamespaceName> \
        --values aspen-mesh-override-values.yaml
    
  4. Inspect the workload certificate for any on-mesh non-gateway pod (or the on-mesh interface of any Istio gateway pod) to make sure it’s an ECC certificate (the value of the Public Key Algorithm field for an ECC certificate is id-ecPublicKey instead of rsaEncryption).