Plug in CA certificates#

About plugging in CA certificates#

Introduction#

You can plug in your own root, CA, and intermediate certificates and private key so Istiod and Citadel (if installed) use your CA certificate and private key to create workload certificates.

What happens if you don’t plug in CA certificates#

If you don’t plug in CA certificates, then:

  • Istiod creates a self-signed RSA root certificate (which it also uses as a CA certificate) and a private key and uses them to create workload certificates.

  • Citadel (if installed) won’t start.

When to plug in CA certificates#

Plug in CA certificates when any of the following is true:

  • Your organization’s security and compliance policies require the use of your centralized CA infrastructure as root for all issued certificates, including workload certificates created by Istiod and Citadel (if installed).

  • You’re using Citadel (for example, because you’re using Packet Inspector 1)

Note

It’s recommended that you plug in CA certificates when you first install Aspen Mesh in case you later need to install Citadel, which requires that you plug in CA certificates.

Required credential files#

To plug in CA certificates, you need the following credential files, which will be included in the Kubernetes secret referenced by Istiod (and Citadel, if installed) as the root CA credential to create workload certificates:

File

Description

ca-cert.pem

The CA certificate used by Istiod (and Citadel, if installed) to create workload certificates. This file can be the same certificate as root-cert.pem.

ca-key.pem

The private key used by Istiod (and Citadel, if installed) to create workload certificates

cert-chain.pem

The certificate chain of trust that includes all intermediate certificates between the workloads and the root CA. This file should be empty if root-cert.pem and ca-cert.pem are the same certificate.

root-cert.pem

The root certificate that created ca-cert.pem. This file can be the same certificate as ca-cert.pem.

Note

  • You may not use different filenames.

  • The type of each credential file can be either Rivest–Shamir–Adleman (RSA) or elliptic-curve cryptography (ECC).

  • Regardless of the types of the credential files, Istiod creates RSA workload certificates unless you enable ECC workload certificates for Istiod.

  • Citadel creates workload certificates whose type matches that of ca-cert.pem.

Plug in CA certificates and re-create workload certificates#

Plug in CA certificates#

  1. Create a directory to hold the required credential files.

  2. Change to the directory you created.

  3. If the required credential files don’t already exist, create them.

  4. If the istio-system namespace doesn’t exist, create it:

      $ kubectl create namespace istio-system
    
  5. Use the required credential files to create a Kubernetes secret named cacerts in the istio-system namespace:

    $ kubectl create secret generic cacerts --namespace istio-system \
        --from-file=ca-cert.pem \
        --from-file=ca-key.pem \
        --from-file=root-cert.pem \
        --from-file=cert-chain.pem
    
  6. Is Aspen Mesh already installed?

    Note

    Answer no if you were directed to this page while performing a clean installation of Aspen Mesh.

    • Yes:

      • Go to step 7.

    • No:

      • Stop. Continue performing the clean installation of Aspen Mesh.

  7. Restart the Istiod pods:

    $ kubectl rollout restart deployment istiod --namespace istio-system
    
  8. If Citadel is installed, restart the Citadel pods:

    $ kubectl rollout restart deployment istio-citadel --namespace istio-system
    

Re-create all workload certificates managed by Istiod and Citadel#

  1. In each namespace in which sidecar injection (either automatic or manual) is being used, restart all pods with sidecars:

    $ kubectl delete pods --namespace <namespaceName> \
        --selector security.istio.io/tlsMode=istio
    
  2. If Citadel is installed, restart all off-mesh, on-cluster pods that are configured to use a service account’s Citadel workload certificate:

    Example

    $ kubectl rollout restart deployment <deploymentName> --namespace <namespaceName>
    
  3. Change to the Aspen Mesh release directory.

  4. Reconfigure the Istio ingress gateway:

    $ helm upgrade istio-ingress manifests/charts/gateways/istio-ingress \
        --namespace <ingressNamespaceName> \
        --values aspen-mesh-override-values.yaml \
        --wait
    
  5. If you’re using the Istio egress gateway, reconfigure the Istio egress gateway:

    $ helm upgrade istio-egress manifests/charts/gateways/istio-egress \
        --namespace <egressNamespaceName> \
        --values aspen-mesh-override-values.yaml