Inspect an Istiod or Citadel workload certificate#

Introduction#

You can easily inspect a workload certificate created by Istiod or Citadel (for example, to determine whether the certificate is an RSA or ECC certificate or includes traditional SAN names).

Determine whether a workload certificate is an RSA or ECC certificate#

The value of the Public Key Algorithm field in a certificate tells you whether it’s an RSA or ECC certificate:

Public Key Algorithm field

Certificate type

rsaEncryption

RSA

id-ecPublicKey

ECC

Inspect the Istiod workload certificate for a pod (or pod interface)#

Note

  • Perform this task when you want to inspect the workload certificate for an on-mesh non-gateway pod or the on-mesh interface of an Istio gateway pod.

  • Make sure yq 4.18.1 or later is installed before performing this task.

  • Inspect the Istiod workload certificate for the pod (or pod interface):

    $ istioctl proxy-config secret <podName> --namespace <namespaceName> --output yaml | \
        yq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \
        base64 --decode | openssl x509 -noout -text
    

Inspect the Citadel workload certificate for a service account#

Note

  • Inspect the Citadel workload certificate for the service account (in a namespace in which Citadel workload certificates are enabled):

    $ kubectl get secret istio.<serviceAccountName> --namespace <namespaceName> --output yaml | \
        yq '.data.cert' | base64 --decode | openssl x509 -noout -text