Istio
Follow these steps to get certificates from Trust Lifecycle Manager into an Istio service mesh, using the cert-manager
utility and ACMEv2 protocol.
Before you begin
Certificate profile
In DigiCert® Trust Lifecycle Manager, use the following base template to create a certificate profile for issuing mTLS certificates for the service mesh via ACME.
Template name | Trust type | Seat type | Issuing CA | Enrollment method |
---|---|---|---|---|
| Private | DigiCert® CA Manager | mTLS over ACME |
The profile defines the general certificate properties and provides the required ACME URL and external account binding (EAB) credentials:
ACME Directory URL: The ACME server URL to request certificates from Trust Lifecycle Manager.
Key identifier (KID): Identifies the certificate profile in your Trust Lifecycle Manager account.
HMAC key: Used to encrypt and authenticate your account key during certificate requests.
Root CA certificate
In DigiCert® CA Manager, download the root CA certificate for the issuing CA selected in the Trust Lifecycle Manager certificate profile. You will use this root CA certificate to establish trust in the service mesh environment.
Open the managers menu in the top-right area of DigiCert ONE and select CA.
Select Manage CAs > Roots from the CA Services menu. Locate the root of the issuing CA for the Trust Lifecycle Manager certificate profile.
Hover the name of the root CA, open the actions (three dots) menu for it, and select the option to Download certificate .pem.
cert-manager
On the Istio end, set up the cert-manager
utility to get certificates from Trust Lifecycle Manager via its ACME service.
Use the following command to install cert-manager in your service mesh environment.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
Use the following command to create a Kubernetes secret for DigiCert ACME external account binding (EAB).
kubectl create secret generic <eab_secret_name> --from-literal secret=<eab_hmac> -n <namespace>
Supply a name for the secret in the
eab_secret_name
parameter. For theeab_hmac
parameter, supply the HMAC key for your certificate profile in Trust Lifecycle Manager. Supply the Istio namespace name to use in thenamespace
parameter. For example:kubectl create secret generic digicert_acme --from-literal secret=MWJiMjQ5MDQ5YWUzOTFiN2JlOWNmODBmNDY2NWNhM2U2MTgyYzI2ZDMxZDNhNmJmNzliZTZlNzE5MzIxODk1Yg -n istio-system
Integration workflow
Download the integration package: Download the sample file to help set up the integration.
Add the ACME-based issuer in cert-manager: Use the sample file to enable DigiCert ACME issuance in the service mesh environment.
Install istio-csr and Istio: Set up istio-csr and Istio to get certificates in the service mesh via the ACME-based issuer in cert-manager.
Note
The downloadable sample file is also available from the Integrations > Connectors page in Trust Lifecycle Manager by selecting Add connector > Infrastructure automation > Istio.
Step 1. Download the integration package
Download the Istio integration package and extract the contents of the ZIP archive to get the following file:
sample-issuer.yaml: Sample configuration file to add an ACME-based issuer in cert-manager.
Step 2. Add the ACME-based issuer in cert-manager
Update the sample-issuer.yaml file to supply values for the following parameters:
metadata section:
name
: ACME-based issuer name.namespace
: Istio namespace name.
spec > acme section:
email
: Email address of the technical contact for issued certificates.server
: ACME Directory URL for the target certificate profile in Trust Lifecycle Manager.externalAccountBinding > keyID
: ACME EAB key identifier (KID) for the target certificate profile.externalAccountBinding > keySecretRef > name
: Name of the Kubernetes secret for DigiCert ACME external account binding (EAB).externalAccountBinding > privateKeySecretRef > name
: Kubernetes secret name to use for storing the private key for DigiCert ACME EAB.
Run the following command and wait for the ACME account to be created. If you renamed the sample issuer configuration file, supply the new name as the final argument.
kubectl apply -f sample-issuer.yaml
Run the following command to verify the ACME account has been registered to the DigiCert ACME server. Supply the Istio namespace name as the final argument.
kubectl describe issuer -n <namespace>
Step 3. Install istio-csr and Istio
For this part, refer to the official istio-csr installation guide for more details.
Warning
The steps here must be completed in the given order. The istio-csr utility must be installed before installing Istio. If Istio is already installed, uninstall it first.
Use the root CA certificate downloaded from DigiCert® CA Manager to create a Kubernetes secret, following step 4 in the official istio-csr installation guide. This establishes trust for the issued certificates within the service mesh.
Install istio-csr via helm, with the following parameters. Supply the name of the ACME-based issuer in cert-manager for the
ACME_issuer_name
parameter. Theapp.tls.rootCAFile
variable specifies the complete path to the root CA certificate from the Kubernetes secret in the previous step. See step 5 in the official istio-csr installation guide for more details.helm install -n jetstack-secure cert-manager-istio-csr jetstack/cert-manager-istio-csr \ --set app.certmanager.issuer.name=<ACME_issuer_name> \ --set app.certmanager.kind.name=Issuer \ --set app.certmanager.group.name=cert-manager.io \ --set "app.tls.rootCAFile=/var/run/secrets/istio-csr/ca.pem" \ --set "volumeMounts[0].name=root-ca" \ --set "volumeMounts[0].mountPath=/var/run/secrets/istio-csr" \ --set "volumes[0].name=root-ca" \ --set "volumes[0].secret.secretName=istio-root-ca"
Install Istio, following step 6 in the official istio-csr installation guide.
What's next
When a certificate is needed for client or server authentication in the service mesh:
The Istio daemon (
istiod
) generates the CSR.The istio-csr utility picks up the CSR and creates a
CertificateRequest
resource for cert-manager.cert-manager sends the request to the DigiCert ACME service and downloads the resulting certificate from Trust Lifecycle Manager.
The istio-csr utility returns the issued certificate to the Istio daemon, which distributes it into the service mesh.
You can run the following command at any time to see detailed status information about all certificate resources in Kubernetes. Supply the Istio namespace name as the final argument.
kubectl describe certificate -n <namespace>
The certificates also appear in the Trust Lifecycle Manager Inventory view so you can monitor them and set up notifications.