• Single cluster
    • Multicluster
    • Overview
    • Architecture
    • Relay architecture
  • interactive_space Insights
      • Install the meshctl CLI
      • Licensing
      • System requirements
      • Installation options
    • Install with Helm
      • Best practices for production
          • Setup options
          • Certificate rotation overview
          • Insecure setup
            • Self-signed server certificate
            • BYO server certificate
            • Self-signed server certificate with managed client certificates
            • BYO server certificate with managed client certificate
              • OpenSSL
              • AWS
              • Vault
          • Istio CA overview
          • Bring your own Istio CAs with AWS
      • FIPS images
        • About Redis
        • Built-in Redis
        • Local Redis
        • External Redis
      • Control user access to your resources
    • Upgrade
    • Uninstall
    • Service mesh options
      • Overview
      • Supported Solo distributions of Istio
      • Deploy Gloo-managed service meshes
      • Upgrade Gloo Operator-managed service meshes
      • About
      • Install Istio in ambient mode
      • Add apps to the ambient mesh
      • Upgrade ambient service meshes
    • Install Istio with AKS Extension
    • Install Istio with EKS add-on
    • About the telemetry pipeline
      • Overview
        • Overview
        • Explore the UI
          • Overview
          • External auth with Google
          • External auth with Dex
          • External auth with Okta
          • OIDC settings in Helm
          • RBAC for resources in the UI
        • Configure the UI for HTTPS
        • Connect the Gloo UI to OpenShift Prometheus
        • Overview
        • Run sample PromQL queries
        • Metrics
        • Alerts
        • Customization options
      • Jaeger
      • Istio access logs
      • Add Istio request traces
      • Add Istio insights
      • Collect compute instance metadata
      • Forward metrics to Datadog
      • Forward metrics to OpenShift
      • Gloo Mesh versions
      • Open Source attribution
      • Feature gates
      • Release notes
      • Solo distribution of Istio changelog
      • GatewayLifecycleManager
      • IstioLifecycleManager
      • Dashboard
      • InsightsConfig
      • Helm chart overview
      • Gloo Platform
      • Gloo Platform CRDs
      • meshctl
      • meshctl check
      • meshctl check server
      • meshctl cluster
      • meshctl cluster deregister
      • meshctl cluster list
      • meshctl cluster register
      • meshctl dashboard
      • meshctl debug
      • meshctl debug report
      • meshctl experimental
      • meshctl experimental interop-check
      • meshctl install
      • meshctl license
      • meshctl license check
      • meshctl logs
      • meshctl proxy
      • meshctl uninstall
      • meshctl version
      • CVE lifecycle handling
      • Security and CVE scan results
    • Gloo component permissions
    • General debugging
    • Management server
    • Agent
      • Debug Istio
      • Istio and gateway lifecycle manager
      • Knative
    • UI graph
    • Observability pipeline
    • Redis
    • About Solo Support
    • Submit a request
    • Add support information
  • open_in_new Istio documentation
    • main
    • 2.9 (latest)
    • 2.8
    • 2.7
    • 2.6
    • GitHub
    • Twitter / X
  • to navigate
  • to select
  • to close
    • Home
    • Setup
    • Advanced setup
    • Certificate management
    • Relay certificates
    • mTLS
    • BYO server and client certificates
    On this page

    These docs use the Kubernetes Gateway API to manage your service mesh. To manage your sidecar service mesh with Gloo Mesh Enterprise APIs instead, see the Gloo Mesh Enterprise docs.

    BYO server and client certificates

    Bring your own server and client TLS certificates and manage the TLS certificate lifecycle yourself.

    article

    OpenSSL

    Create your certificates by using OpenSSL and manually provide them to your Gloo management server …

    article

    AWS

    Set up the relay root and intermediate certificate authorities (CAs) to generate the relay server …

    article

    Vault

    Use Vault to generate the root and intermediate CA certificates, and use cert-manager to …

    Solo.io copyright 2025