Root certificate rotation

Expiration settings

If you use Gloo self-signed certificates to create the root CA as described in Option 1: Fully managed root and intermediate CAs, the root CA is valid for 1 year by default. You can customize the validity of the root CA by setting the ttlDays in the spec.config.mgmtServerCa.generated section of your root trust policy.

The following example creates a self-signed root CA certificate that is valid for 730 days.

  apiVersion: admin.gloo.solo.io/v2
kind: RootTrustPolicy
metadata:
  name: root-trust-policy
  namespace: gloo-mesh
spec:
  config:
    mgmtServerCa: 
      generated:
        ttlDays: 730
  

Certificate rotation process

To update your root CA, follow these general steps. Note that rotating the root CA certificate is a multi-day process so that your workloads gradually pick up the new root CA certificate without downtime.

Intermediate certificate rotation

Automatic intermediate CA rotation is enabled for all managed CA setups that are described in the Setup options.

Rotation and expiration settings

If not otherwise specified, the intermediate CA certificates that Gloo Mesh generates are valid for 1 year by default. To customize the certificate validity, you can specify the number of days the intermediate certificate is valid for in the ttlDays field of the spec.config.intermediateCertOptions section of the root trust policy. In addition, you specify when you want Gloo Mesh to start the certificate rotation process by setting the spec.config.intermediateCertOptions.secretRotationGracePeriodRatio option.

In the following example root trust policy, the intermediate certificate is valid for one day. Because the grace period ratio is set to 0.1, Gloo Mesh starts rotating the certificate 2.4 hours before the certificate expires (24hx0.1).

  apiVersion: admin.gloo.solo.io/v2
kind: RootTrustPolicy
metadata:
  name: root-trust-policy
  namespace: gloo-mesh
spec:
  config:
    intermediateCertOptions:
      secretRotationGracePeriodRatio: 0.1
      ttlDays: 1
    mgmtServerCa: 
      generated:
        ttlDays: 730
  

Certificate rotation process

The following diagram shows how intermediate CA certificates are rotated behind the scenes when a certificate reconcile event is received in Gloo Mesh.

Figure: Automatic intermediate CA certificate rotation process in Gloo Mesh Enterprise
Figure: Automatic intermediate CA certificate rotation process in Gloo Mesh Enterprise
Figure: Automatic intermediate CA certificate rotation process in Gloo Mesh Enterprise
Figure: Automatic intermediate CA certificate rotation process in Gloo Mesh Enterprise

Rollout of updated certificates

If you installed Istio with the AUTO_RELOAD_PLUGIN_CERTS=true option, the Istio control plane istiod automatically picks up new intermediate CA certificates and uses these certificates to sign the leaf certificates for the workloads. No restart of the istiod pod is required.

However, if you did not or do not want to enable this option, you must manually restart the istiod pod to apply the intermediate CA changes.

Leaf certificate rotation

By default, leaf certificates that are issued for the workloads in the service mesh are valid for 24 hours. You can change this value by setting the proxyMetadata.SECRET_TTL value in your Istio operator configuration, such as by upgrading Gloo Mesh-managed Istio. For example, to issue certificates that are valid for 12 hours, set the proxyMetadata.SECRET_TTL value to 12h0m0s.