For more information about Istio certificates, see the Istio CA overview.

About this approach

AWS Private CA is a managed CA that you can use to your secure apps and devices with private TLS certificates. In this setup, you use the AWS Private CA to generate and store your root CA and subordinate CAs that you use to generate Istio intermediate CAs for your workload clusters. To manage the lifecycle of Istio intermediate CA certificates, you also install cert-manager. Cert-manager is a Kubernetes controller that helps you automate the process of obtaining and renewing certificates from various PKI providers, such as AWS Private CA, Gloo Cloud CA, or Vault.

With this approach, you get the following benefits:

  • Secure storage of root CA certificates and keys.
  • AWS subordinate CAs that serve as an additional security layer for your root CA.
  • Automatic Istio intermediate CA certificates and renewals with cert-manager to make sure they are derived from the same root, which enables workload communication across clusters.
  • The possibility to reuse this architecture for other certificates, such as the Gloo relay certificates.

Architecture overview

The following image shows the components that you set up as part of this approach and how they work together to obtain Istio intermediate CA certificates.

Figure: Overview of issuing Istio intermediate CA and leaf certificates with cert-manager and AWS Private CA issuer

  1. You use the managed AWS Private Certificate Authority to create the root CA certificate and private key.
  2. The private root CA key is then used to create a certificate and private key for the AWS subordinate CA.
  3. To generate an Istio intermediate CA certificate, you create a Certificate custom resource in the workload cluster. The Certificate is a cert-manager resource and includes all the details about the intermediate CA certificate that you want to create, such as the expiration date or the algorithm you want to use for the private key. The Certificate resource uses the AWS Private CA issuer custom resource to connect to the cert-manager and the AWS Private CA issuer plug-in in the cert-manager namespace.
  4. Cert-manager uses the AWS Private CA issuer plug-in to send a certificate signing request to the AWS Private CA.
  5. The plug-in uses a service account and AWS IAM role to authenticate with the AWS Private CA.
  6. Once authenticated, the certificate signing request is forwarded to the AWS subordinate CA.
  7. The AWS subordinate verifies the request, and signs and issues an Istio intermediate CA certificate. The certificate is returned to the AWS Private CA issuer plug-in and cert-manager instance in the workload cluster.
  8. Cert-manager stores the private key and intermediate certificate in the cacerts Kubernetes secret in the istio-system namespace.
  9. Workloads in the service mesh send a certificate signing request to the Istio control plane istiod to receive a leaf certificate.
  10. Istiod verifies the request, and uses the private intermediate CA key from the cacerts Kubernetes secret to sign and issue a leaf certificate.
  11. The leaf certificate is returned to the workload.
  12. The sidecar proxies of each workload use the leaf certificate to securely communicate with other workloads in the service mesh by using mutual TLS (mTLS).

Setup

Check out this blog for more information about how to set up AWS Private CA issuer and cert-manager for your Istio intermediate CA certificates.