Using ACM PCA to sign Istio’s CA for EKS

In the needs of signing a intermediary Certificate Authority for Istio’s envoy mTLS, I have used OpenSSL and AWS CLI to achieve the task.

Context:

Assuming this ACM PCA infrastructure:

PKI Structure

Goal:

Generate a CA CSR to be signed by CA of Account #2 to use as Istio’s mTLS CA. All that in preparation to use Istio in multicluster.

1- Using OpenSSL to generate a CA and its CSR.

openssl genrsa -out ca-key.pem 4096
openssl req -new -config intermediate.conf -key ca-key.pem -out cluster-ca.csr

content of the intermediate.conf file :

[ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits =
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectAltName=@san
[ san ]
DNS.1 = istiod.istio-system.svc
[ req_dn ]
O = Istio
CN = Intermediate CA

n.b.: assuming your installing istio in eks istio-system namespace

2- Using AWS CLI to sign CSR against CA Level1 of account #2

aws acm-pca issue-certificate — certificate-authority-arn “arn:aws:acm-pca:ca-central-1:12345678910:certificate-authority/aaaaaa-bbbbb-ccccc-dddd-eeeee” — csr “LS0………kVRIUUIUUI0tLD0tCx==” — signing-algorithm “SHA512WITHRSA” — validity Value=5,Type=”YEARS” — idempotency-token 1234 — template-arn arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1

Replace the CA’s arn and produce a BASE64 of your CSR and insert it after the — csr argument. Also, notice the the PathLen is set to 0.

This generates an ACM PCA certificate and outputs its arn.

3- Using AWS CLI to fetch the certificate information from account #2

aws acm-pca get-certificate — certificate-authority-arn “arn:aws:acm-pca:ca-central-1:1234568910:certificate-authority/aaaaaa-bbbbbb–ccccccc-dddd-eeeeeeeeeee” — certificate-arn arn:aws:acm-pca:ca-central-1:12345678910:certificate-authority/aaaaaa-bbbbb-ccccccc-dddddd-eeee/certificate/51ijweiij23ijidd22173 — output text

Replace the CA arn and Certificate arn from previous output. This will output the new certificate and the rest of the chain in a single time.

4- Create istio eks namespace and deposit the new signed CA prior to Istio’s install

Prior to secret creation, depending on your PKI infrastructure, copy the first outputted certificate as ca-cert.pem and the last as cert-root.pem and keep the whole output in the cert-chain.pem file.

kubectl create secret generic ca-certs -n istio-system \
— from-file=ca-cert.pem \
— from-file=ca-key.pem \
— from-file=root-cert.pem \
— from-file=cert-chain.pem

Install Istio ( version 1.9 tested ) and after installation restart rollout Istio’s deployments

Voila!

Take a look at istiod’s logs they should mention that its using the new intermediary CA and that it’s able to generate certs.

You can also run istioctl proxy-status to be sure all is okay

Next steps, see how to use a solution as Vault

DevOps enabler, SAFe enthousiast, Cloud Arch.