Managing In-Mesh Certificates
Many users need to manage the types of the certificates used within their environment. For example, some users require the use of Elliptical Curve Cryptography (ECC) while others may need to use a stronger bit length for RSA certificates. Configuring certificates within your environment can be a daunting task for most users.
This document is only intended to be used for in-mesh communication. For managing certificates at your Gateway, see the Secure Gateways document. For managing the CA used by istiod to generate workload certificates, see the Plugin CA Certificates document.
istiod
When Istio is installed without a root CA certificate, istiod will generate a self-signed CA certificate using RSA 2048.
To change the self-signed CA certificate’s bit length, you will need to modify either the IstioOperator manifest provided to
istioctl
or the values file used during the Helm installation of the istio-discovery chart.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
pilot:
env:
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
pilot:
env:
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
Sidecars
Since sidecars manage their own certificates for in-mesh communication, the sidecars are responsible for managing their private keys and generated Certificate Signing Request (CSRs). The sidecar injector needs to be modified to inject the environment variables to be used for this purpose.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
proxyMetadata:
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
meshConfig:
defaultConfig:
proxyMetadata:
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
apiVersion: apps/v1
kind: Deployment
metadata:
name: curl
spec:
...
template:
metadata:
...
annotations:
...
proxy.istio.io/config: |
CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE: 4096
spec:
...
Signature Algorithm
By default, the sidecars will create RSA certificates. If you want to change it to
ECC, you need to set ECC_SIGNATURE_ALGORITHM
to ECDSA
.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
proxyMetadata:
ECC_SIGNATURE_ALGORITHM: "ECDSA"
meshConfig:
defaultConfig:
proxyMetadata:
ECC_SIGNATURE_ALGORITHM: "ECDSA"
Only P256 and P384 are supported via ECC_CURVE
.
If you prefer to retain RSA signature algorithms and want to modify the RSA key size,
you can change the value of WORKLOAD_RSA_KEY_SIZE
.