Managing In-Mesh Certificates

This feature is actively in development and is considered experimental.

Many users need to manage the types of the certificates used within their environment. For example, some users require the use of Elliptical Curve Cryptography (ECC) while others may need to use a stronger bit length for RSA certificates. Configuring certificates within your environment can be a daunting task for most users.

This document is only intended to be used for in-mesh communication. For managing certificates at your Gateway, see the Secure Gateways document. For managing the CA used by istiod to generate workload certificates, see the Plugin CA Certificates document.

istiod

When Istio is installed without a root CA certificate, istiod will generate a self-signed CA certificate using RSA 2048.

To change the self-signed CA certificate’s bit length, you will need to modify either the IstioOperator manifest provided to istioctl or the values file used during the Helm installation of the istio-discovery chart.

While there are many environment variables that can be changed for pilot-discovery, this document will only outline some of them.

  1. apiVersion: install.istio.io/v1alpha1
  2. kind: IstioOperator
  3. spec:
  4. values:
  5. pilot:
  6. env:
  7. CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
  1. pilot:
  2. env:
  3. CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096

Sidecars

Since sidecars manage their own certificates for in-mesh communication, the sidecars are responsible for managing their private keys and generated Certificate Signing Request (CSRs). The sidecar injector needs to be modified to inject the environment variables to be used for this purpose.

While there are many environment variables that can be changed for pilot-agent, this document will only outline some of them.

  1. apiVersion: install.istio.io/v1alpha1
  2. kind: IstioOperator
  3. spec:
  4. meshConfig:
  5. defaultConfig:
  6. proxyMetadata:
  7. CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
  1. meshConfig:
  2. defaultConfig:
  3. proxyMetadata:
  4. CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4. name: sleep
  5. spec:
  6. ...
  7. template:
  8. metadata:
  9. ...
  10. annotations:
  11. ...
  12. proxy.istio.io/config: |
  13. CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
  14. spec:
  15. ...

Signature Algorithm

By default, the sidecars will create RSA certificates. If you want to change it to ECC, you need to set ECC_SIGNATURE_ALGORITHM to ECDSA.

  1. apiVersion: install.istio.io/v1alpha1
  2. kind: IstioOperator
  3. spec:
  4. meshConfig:
  5. defaultConfig:
  6. proxyMetadata:
  7. ECC_SIGNATURE_ALGORITHM: "ECDSA"
  1. meshConfig:
  2. defaultConfig:
  3. proxyMetadata:
  4. ECC_SIGNATURE_ALGORITHM: "ECDSA"

Only P256 and P384 are supported via ECC_CURVE.

If you prefer to retain RSA signature algorithms and want to modify the RSA key size, you can change the value of WORKLOAD_RSA_KEY_SIZE.