Extending Self-Signed Certificate Lifetime

You can skip this guide if your cluster was started with Istio version 1.3 or later, or if you do not use the Istio self-signed certificates.

Before version 1.3, Istio self-signed certificates had a 1 year default lifetime. If your cluster started with Istio version 1.2 or earlier, and it is using Istio self-signed certificates, you need to be mindful about the expiration date of the root certificate. The expiration of a root certificate may lead to an unexpected cluster-wide outage.

The following steps show you how to examine the remaining lifetime for your root certificate, and how to transition to a new root certificate with a 10 year lifetime.

Root transition procedure

  1. Check when the root certificate expires:

    Download this script on a machine that has kubectl access to the cluster.

    1. $ wget https://raw.githubusercontent.com/istio/tools/release-1.8/bin/root-transition.sh
    2. $ chmod +x root-transition.sh
    3. $ ./root-transition.sh check-root
    4. ...
    5. =====YOU HAVE 30 DAYS BEFORE THE ROOT CERT EXPIRES!=====

    Execute the remainder of the steps prior to root certificate expiration to avoid system outages.

  2. Execute a root certificate transition:

    1. $ ./root-transition.sh root-transition
    2. Create new ca cert, with trust domain as cluster.local
    3. Wed Jun 5 19:11:15 PDT 2019 delete old ca secret
    4. secret "istio-ca-secret" deleted
    5. Wed Jun 5 19:11:15 PDT 2019 create new ca secret
    6. secret/istio-ca-secret created
    7. pod "istiod-86f88b6f6-d8hjt" deleted
    8. Wed Jun 5 19:11:18 PDT 2019 restarted Citadel, checking status
    9. NAME READY STATUS RESTARTS AGE
    10. istiod-5d4798c786-w782z 1/1 Running 0 3s
    11. New root certificate:
    12. Certificate:
    13. Data:
    14. ...
    15. Validity
    16. Not Before: Jun 6 03:24:43 2019 GMT
    17. Not After : Jun 3 03:24:43 2029 GMT
    18. Subject: O = cluster.local
    19. ...
    20. Your old certificate is stored as old-ca-cert.pem, and your private key is stored as ca-key.pem
    21. Please save them safely and privately.
  3. Verify the new workload certificates are loaded by Envoy:

    Envoy proxies will retrieve the new root certificate when they rotate the workload key and certificates. Because the rotation is triggered based on the remaining lifetime of the existing certificate, with the default 24 hour workload certificate lifetime, expect the root transition to happen within the next 12 hours (within the 12 hour window, all workloads should rotate their keys and certificates). You can verify whether an Envoy has received the new certificates. The following command shows an example to check the Envoy’s certificate for a pod.

    1. $ kubectl exec [YOUR_POD] -c istio-proxy -n [YOUR_NAMESPACE] -- curl http://localhost:15000/certs | head -c 1000
    2. {
    3. "certificates": [
    4. {
    5. "ca_cert": [
    6. ...
    7. "valid_from": "2019-06-06T03:24:43Z",
    8. "expiration_time": ...
    9. ],
    10. "cert_chain": [
    11. {
    12. ...
    13. }

    Inspect the valid_from value of ca_cert. If it matches the _Not_ _Before_ value in the new certificate as shown in Step 2, your Envoy has loaded the new root certificate. If you see your Envoy is not able to load the new certificate, check the health of Istiod. You may also manually restart the workloads.

See also

Extending Istio Self-Signed Root Certificate Lifetime

Learn how to extend the lifetime of Istio self-signed root certificate.

Change in Secret Discovery Service in Istio 1.3

Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely.

Custom CA Integration using Kubernetes CSR [experimental]

Shows how to use a Custom Certificate Authority (that integrates with the Kubernetes CSR API) to provision Istio workload certificates.

Istio DNS Certificate Management

Shows how to provision and manage DNS certificates in Istio.

Provision a certificate and key for an application without sidecars

A mechanism to acquire and share an application certificate and key through mounted files.

Istio in 2020 - Following the Trade Winds

A vision statement and roadmap for Istio in 2020.