Skip to main content

Istio

Follow these steps to get certificates from Trust Lifecycle Manager into an Istio service mesh, using the cert-manager utility and ACMEv2 protocol.

Before you begin

Certificate profile

In DigiCert​​®​​ Trust Lifecycle Manager, use the following base template to create a certificate profile for issuing mTLS certificates for the service mesh via ACME.

Template name

Trust type

Seat type

Issuing CA

Enrollment method

CA Manager Private mTLS Certificate

Private

Server

DigiCert® CA Manager

mTLS over ACME

The profile defines the general certificate properties and provides the required ACME URL and external account binding (EAB) credentials:

  • ACME Directory URL: The ACME server URL to request certificates from Trust Lifecycle Manager.

  • Key identifier (KID): Identifies the certificate profile in your Trust Lifecycle Manager account.

  • HMAC key: Used to encrypt and authenticate your account key during certificate requests.

Root CA certificate

In DigiCert® CA Manager, download the root CA certificate for the issuing CA selected in the Trust Lifecycle Manager certificate profile. You will use this root CA certificate to establish trust in the service mesh environment.

  1. Open the managers menu in the top-right area of DigiCert ONE and select CA.

  2. Select Manage CAs > Roots from the CA Services menu. Locate the root of the issuing CA for the Trust Lifecycle Manager certificate profile.

  3. Hover the name of the root CA, open the actions (three dots) menu for it, and select the option to Download certificate .pem.

cert-manager

On the Istio end, set up the cert-manager utility to get certificates from Trust Lifecycle Manager via its ACME service.

  1. Use the following command to install cert-manager in your service mesh environment.

    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml

  2. Use the following command to create a Kubernetes secret for DigiCert ACME external account binding (EAB).

    kubectl create secret generic <eab_secret_name> --from-literal secret=<eab_hmac> -n <namespace>

    Supply a name for the secret in the eab_secret_name parameter. For the eab_hmac parameter, supply the HMAC key for your certificate profile in Trust Lifecycle Manager. Supply the Istio namespace name to use in the namespace parameter. For example:

    kubectl create secret generic digicert_acme --from-literal secret=MWJiMjQ5MDQ5YWUzOTFiN2JlOWNmODBmNDY2NWNhM2U2MTgyYzI2ZDMxZDNhNmJmNzliZTZlNzE5MzIxODk1Yg -n istio-system

Integration workflow

  1. Download the integration package: Download the sample file to help set up the integration.

  2. Add the ACME-based issuer in cert-manager: Use the sample file to enable DigiCert ACME issuance in the service mesh environment.

  3. Install istio-csr and Istio: Set up istio-csr and Istio to get certificates in the service mesh via the ACME-based issuer in cert-manager.

Note

The downloadable sample file is also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > Istio.

Step 1. Download the integration package

Download the Istio integration package and extract the contents of the ZIP archive to get the following file:

  • sample-issuer.yaml: Sample configuration file to add an ACME-based issuer in cert-manager.

Step 2. Add the ACME-based issuer in cert-manager

  1. Update the sample-issuer.yaml file to supply values for the following parameters:

    • metadata section:

      • name: ACME-based issuer name.

      • namespace: Istio namespace name.

    • spec > acme section:

      • email: Email address of the technical contact for issued certificates.

      • server: ACME Directory URL for the target certificate profile in Trust Lifecycle Manager.

      • externalAccountBinding > keyID: ACME EAB key identifier (KID) for the target certificate profile.

      • externalAccountBinding > keySecretRef > name: Name of the Kubernetes secret for DigiCert ACME external account binding (EAB).

      • externalAccountBinding > privateKeySecretRef > name: Kubernetes secret name to use for storing the private key for DigiCert ACME EAB.

  2. Run the following command and wait for the ACME account to be created. If you renamed the sample issuer configuration file, supply the new name as the final argument.

    kubectl apply -f sample-issuer.yaml

  3. Run the following command  to verify the ACME account has been registered to the DigiCert ACME server. Supply the Istio namespace name as the final argument.

    kubectl describe issuer -n <namespace>

Step 3. Install istio-csr and Istio

For this part, refer to the official istio-csr installation guide for more details.

Warning

The steps here must be completed in the given order. The istio-csr utility must be installed before installing Istio. If Istio is already installed, uninstall it first.

  1. Use the root CA certificate downloaded from DigiCert® CA Manager to create a Kubernetes secret, following step 4 in the official istio-csr installation guide. This establishes trust for the issued certificates within the service mesh.

  2. Install istio-csr via helm, with the following parameters. Supply the name of the ACME-based issuer in cert-manager for the ACME_issuer_name parameter. The app.tls.rootCAFile variable specifies the complete path to the root CA certificate from the Kubernetes secret in the previous step. See step 5 in the official istio-csr installation guide for more details.

    helm install -n jetstack-secure cert-manager-istio-csr jetstack/cert-manager-istio-csr \
	--set app.certmanager.issuer.name=<ACME_issuer_name> \
	--set app.certmanager.kind.name=Issuer \
	--set app.certmanager.group.name=cert-manager.io \
	--set "app.tls.rootCAFile=/var/run/secrets/istio-csr/ca.pem" \
	--set "volumeMounts[0].name=root-ca" \
	--set "volumeMounts[0].mountPath=/var/run/secrets/istio-csr" \
	--set "volumes[0].name=root-ca" \
	--set "volumes[0].secret.secretName=istio-root-ca"

  3. Install Istio, following step 6 in the official istio-csr installation guide.

What's next

When a certificate is needed for client or server authentication in the service mesh:

  1. The Istio daemon (istiod) generates the CSR.

  2. The istio-csr utility picks up the CSR and creates a CertificateRequest resource for cert-manager.

  3. cert-manager sends the request to the DigiCert ACME service and downloads the resulting certificate from Trust Lifecycle Manager.

  4. The istio-csr utility returns the issued certificate to the Istio daemon, which distributes it into the service mesh.

You can run the following command at any time to see detailed status information about all certificate resources in Kubernetes. Supply the Istio namespace name as the final argument.

kubectl describe certificate -n <namespace>

The certificates also appear in the Trust Lifecycle Manager Inventory view so you can monitor them and set up notifications.

: