Inspect an Istiod or Citadel workload certificate#
Introduction#
You can easily inspect a workload certificate created by Istiod or Citadel (for example, to determine whether the certificate is an RSA or ECC certificate or includes traditional SAN names).
Note
If you haven’t already done so, learn about the Aspen Mesh certificate authorities (CAs) and the types of pods they support.
Determine whether a workload certificate is an RSA or ECC certificate#
The value of the Public Key Algorithm
field in a certificate tells you whether it’s an RSA or ECC certificate:
|
Certificate type |
---|---|
|
RSA |
|
ECC |
Inspect the Istiod workload certificate for a pod (or pod interface)#
Note
Perform this task when you want to inspect the workload certificate for an on-mesh non-gateway pod or the on-mesh interface of an Istio gateway pod.
Make sure
yq
4.18.1 or later is installed before performing this task.
Inspect the Istiod workload certificate for the pod (or pod interface):
$ istioctl proxy-config secret <podName> --namespace <namespaceName> --output yaml | \ yq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \ base64 --decode | openssl x509 -noout -text
Inspect the Citadel workload certificate for a service account#
Note
Perform this task when you want to inspect the workload certificate for a service account (because you’ve configured the pods in an off-mesh, on-cluster non-gateway workload or the off-mesh interfaces of the pods in an Istio gateway workload to use that certificate).
Make sure
yq
4.18.1 or later is installed before performing this task.
Inspect the Citadel workload certificate for the service account (in a namespace in which Citadel workload certificates are enabled):
$ kubectl get secret istio.<serviceAccountName> --namespace <namespaceName> --output yaml | \ yq '.data.cert' | base64 --decode | openssl x509 -noout -text