In the needs of signing a intermediary Certificate Authority for Istio’s envoy mTLS, I have used OpenSSL and AWS CLI to achieve the task.
Context:
Assuming this ACM PCA infrastructure:
Goal:
Generate a CA CSR to be signed by CA of Account #2 to use as Istio’s mTLS CA. All that in preparation to use Istio in multicluster.
1- Using OpenSSL to generate a CA and its CSR.
openssl genrsa -out ca-key.pem 4096
openssl req -new -config intermediate.conf -key ca-key.pem -out cluster-ca.csr
content of the intermediate.conf file :
[ req ]
encrypt_key = no
prompt = no
utf8 = yes
default_md = sha256
default_bits =
req_extensions = req_ext
x509_extensions = req_ext
distinguished_name = req_dn
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
subjectAltName=@san
[ san ]
DNS.1 = istiod.istio-system.svc
[ req_dn ]
O = Istio
CN = Intermediate CA
n.b.: assuming your installing istio in eks istio-system namespace
2- Using AWS CLI to sign CSR against CA Level1 of account #2
aws acm-pca issue-certificate — certificate-authority-arn “arn:aws:acm-pca:ca-central-1:12345678910:certificate-authority/aaaaaa-bbbbb-ccccc-dddd-eeeee” — csr “LS0………kVRIUUIUUI0tLD0tCx==” — signing-algorithm “SHA512WITHRSA” — validity Value=5,Type=”YEARS” — idempotency-token 1234 — template-arn arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1
Replace the CA’s arn and produce a BASE64 of your CSR and insert it after the — csr argument. Also, notice the the PathLen is set to 0.
This generates an ACM PCA certificate and outputs its arn.
3- Using AWS CLI to fetch the certificate information from account #2
aws acm-pca get-certificate — certificate-authority-arn “arn:aws:acm-pca:ca-central-1:1234568910:certificate-authority/aaaaaa-bbbbbb–ccccccc-dddd-eeeeeeeeeee” — certificate-arn arn:aws:acm-pca:ca-central-1:12345678910:certificate-authority/aaaaaa-bbbbb-ccccccc-dddddd-eeee/certificate/51ijweiij23ijidd22173 — output text
Replace the CA arn and Certificate arn from previous output. This will output the new certificate and the rest of the chain in a single time.
4- Create istio eks namespace and deposit the new signed CA prior to Istio’s install
Prior to secret creation, depending on your PKI infrastructure, copy the first outputted certificate as ca-cert.pem and the last as cert-root.pem and keep the whole output in the cert-chain.pem file.
kubectl create secret generic ca-certs -n istio-system \
— from-file=ca-cert.pem \
— from-file=ca-key.pem \
— from-file=root-cert.pem \
— from-file=cert-chain.pem
Install Istio ( version 1.9 tested ) and after installation restart rollout Istio’s deployments
Voila!
Take a look at istiod’s logs they should mention that its using the new intermediary CA and that it’s able to generate certs.
You can also run istioctl proxy-status to be sure all is okay
Next steps, see how to use a solution as Vault