[Videos] Avoiding Downtime With Istio 1.6 Certificate Rotation

Istio uses certificates to issue workload identity following the SPIFFE specification. To manage issuing, signing, and rotating these certificates at runtime, Istio has a built in CA component (in Istio 1.5 and newer, you’ll see this co-located with the istiod component in the control plane). These workload certificates are used to establish mTLS, assert identity, and enforce policies like Authentication and Authorization.

At times, operators of the Istio service mesh will need to rotate the signing certificates Istio uses in its CA. For example, maybe a certificate is about to expire, or maybe it fell into the wrong hands. Since all of the traffic in the mesh will likely be using their respective workload certificates for mTLS, we need to make sure rotation of these signing certificates (including Root certificates at times) does not lead to down time.

In this multi-series set of videos, we walk through understanding Istio’s CA and how to safely rotate signing certificates. These videos are short and easily consumable (~5 min each)

Setting the context: Understanding Istio’s Root CA

In this video we walk through the basics of bootstrapping Istio’s signing CA (as discussed above). This video sets the context for the rest of the videos.

Plugging in your own signing certificates

In this video we see what happens if we go from Istio’s default, out of the box CA to our own CA with a different root. Notice how we break mTLS and trust in the system:

Rotating intermediate certificates (same root)

In this video, we’re on our own certificate with an organizational trust root and we wish to issue and rotate the intermediate certificate that Istio CA uses to sign workloads, let’s see what happens when we do that:

Establishing trust for multiple roots (temporarily)

In this video we show how Istio can trust multiple root certificates for a period of time to enable rotation of the signing certificate with a new root (ie, when we need to rotate a Root CA):

Rotating intermediate certificates (different root)

In this last video we introduce the new signing certificate which has a different/new root. Let’s see how Istio behaves in this scenario:

Learn More

We hope you enjoy these videos to learn more about how to use Istio.