Enable ECC workload certificates#
About enabling ECC workload certificates#
Introduction#
If you want Istiod to create ECC instead of RSA workload certificates, you can enable ECC workload certificates for Istiod.
If you want Citadel (if installed) to create ECC workload certificates, you must use an ECC certificate for ca-cert.pem
when plugging in CA certificates.
Note
If you haven’t already done so, learn about the Aspen Mesh certificate authorities (CAs) and the types of pods they support.
When to enable ECC workload certificates#
Enable ECC workload certificates when any of the following is true:
Your organization’s security and compliance policies require the use of ECC certificates for all workloads.
You want to take advantage of the benefits that ECC workload certificates provide.
Benefits of ECC#
These are some of the benefits of ECC:
Small ECC keys (stored in ECC certificates) have the equivalent strength of larger RSA keys. For instance, a 256-bit ECC key is roughly equivalent to a 3072-bit RSA key.
Smaller ECC keys mean less data is transmitted between the client and server during the mTLS handshake.
Key generation for ECC is substantially faster than for RSA.
ECC requires less CPU and memory than RSA when encrypting and decrypting keys.
Drawback of ECC#
The ECC signature verification can be computationally intensive and may be slower than RSA on some devices.
Supported ECC algorithm and curve#
ECC workload certificates created by Istiod and Citadel use the Elliptic Curve Digital Signature Algorithm (ECDSA) and curve P-256.
Enable ECC workload certificates for Istiod and re-create workload certificates#
Log in to the appropriate artifact registry with Helm and set the repository address#
Enable ECC workload certificates for Istiod#
In a terminal window on your computer, make sure you’re in the Aspen Mesh Platform chart directory.
Open your Aspen Mesh override values file (
aspen-mesh-override-values.yaml
) in a text editor.Copy the following information and paste it into the file:
defaults: global: enableEccCertificates: true
Save and close the file.
Is Aspen Mesh already installed?
Note
Answer no if you were directed to this page while performing a clean installation of Aspen Mesh.
Yes:
Go to step 6.
No:
Stop. Continue performing the clean installation of Aspen Mesh.
Set the
AM_TAG
environment variable to the version of Aspen Mesh that’s installed.Example
$ export AM_TAG=1.21.6-am1
Reconfigure Istiod:
Kubernetes
$ helm upgrade istiod oci://$AM_REPO/charts/istiod --version $AM_TAG \ --namespace istio-system \ --values aspen-mesh-override-values.yaml \ --wait
OpenShift
$ helm upgrade istiod oci://$AM_REPO/charts/istiod --version $AM_TAG \ --namespace istio-system \ --values aspen-mesh-override-values.yaml \ --set profile=openshift \ --wait
Restart the Istiod pods:
$ kubectl rollout restart deployment istiod --namespace istio-system
Re-create all workload certificates managed by Istiod#
Note
Make sure yq
4.18.1 or later is installed before performing this task.
In each namespace in which sidecar injection (either automatic or manual) is being used, restart all pods with sidecars:
$ kubectl delete pods --namespace <namespaceName> \ --selector security.istio.io/tlsMode=istio
Set the
AM_TAG
environment variable to the version of Aspen Mesh that’s installed.Example
$ export AM_TAG=1.21.6-am1
Reconfigure the Istio ingress gateway:
Kubernetes
$ helm upgrade istio-ingress oci://$AM_REPO/charts/istio-ingress --version $AM_TAG \ --namespace <ingressNamespaceName> \ --values aspen-mesh-override-values.yaml \ --wait
OpenShift
$ helm upgrade istio-ingress oci://$AM_REPO/charts/istio-ingress --version $AM_TAG \ --namespace <ingressNamespaceName> \ --values aspen-mesh-override-values.yaml \ --set profile=openshift \ --wait
If you’re using the Istio egress gateway, reconfigure the Istio egress gateway:
Kubernetes
$ helm upgrade istio-egress oci://$AM_REPO/charts/istio-egress --version $AM_TAG \ --namespace <egressNamespaceName> \ --values aspen-mesh-override-values.yaml \ --wait
OpenShift
$ helm upgrade istio-egress oci://$AM_REPO/charts/istio-egress --version $AM_TAG \ --namespace <egressNamespaceName> \ --values aspen-mesh-override-values.yaml \ --set profile=openshift \ --wait
Inspect the workload certificate for any on-mesh non-gateway pod (or the on-mesh interface of any Istio gateway pod) to make sure it’s an ECC certificate (the value of the
Public Key Algorithm
field for an ECC certificate isid-ecPublicKey
instead ofrsaEncryption
).