Extending Self-Signed Certificate Lifetime

    To evaluate the lifetime remaining for your root certificate, please refer to the first step in the procedure below.

    The steps below show you how to transition to a new root certificate. After the transition, the new root certificate has a 10 year lifetime. Note that the Envoy instances will be hot restarted to reload the new root certificates, which may impact long-lived connections. For details about the impact and how Envoy hot restart works, please refer to and here.

    If you are not currently using the mutual TLS feature in Istio and will not use it in the future, you are not affected and no action is required.

    If you may use the mutual TLS feature in the future, you should follow the procedure below to perform a root certificate transition.

    If you are currently using the mutual TLS feature in Istio with self-signed certificates, please follow the procedure and check whether you will be affected.

    1. Check when the root certificate expires:

      Download this on a machine that has access to the cluster.

      Execute the remainder of the steps prior to root certificate expiration to avoid system outages.

    2. Check the version of your sidecars and upgrade if needed:

      Some early versions of Istio sidecar could not automatically reload the new root certificate. Please run the following command to check the version of your Istio sidecars.

      1. $ ./root-transition.sh check-version
      2. Istio proxy version: 1.3.5
      3. Checking namespace: istio-system
      4. Istio proxy version: 1.3.5
      5. Istio proxy version: 1.3.5
      6. ...

      If your sidecars are using versions lower than 1.0.8 and 1.1.8, please upgrade the Istio control plane and sidecars to versions no lower than 1.0.8 and 1.1.8. To upgrade, follow the Istio upgrade procedure or the procedure provided by your cloud service provider.

    3. During the transition, the Envoy sidecars may be hot-restarted to reload the new certificates. This may have some impact on your traffic. Please refer to and read this blog post for more details.

      If your Pilot does not have an Envoy sidecar, consider installing one. Pilot has issues using the old root certificate to verify the new workload certificates, which may cause disconnection between Pilot and Envoy. Please see for how to check for this condition. The Istio upgrade guide by default installs Pilot with a sidecar.

    4. Verify the new workload certificates are generated:

      1. $ ./root-transition.sh verify-certs
      2. ...
      4. Root cert MD5 is 8fa8229ab89122edba73706e49a55e4c
      5.   Secret default.istio.default matches current root.
      6.   Secret default.istio.sleep matches current root.
      7. Checking namespace: istio-system
      8.   Secret istio-system.istio.default matches current root.
      9.   ...
      11. =====All Istio mutual TLS keys and certificates match the current root!=====

      If this command fails, wait a minute and run the command again. It takes some time for Citadel to propagate the certificates.

    5. Verify the new workload certificates are loaded by Envoy:

      You can verify whether an Envoy has received the new certificates. The following command shows an example to check the Envoy’s certificate for a pod.

      Please inspect the value of the ca\_cert. If it matches the _Not_ _Before_ value in the new certificate as shown in Step 3, your Envoy has loaded the new root certificate.

    Please make sure you have updated to 1.0.8, 1.1.8 or later for the istio-proxy sidecars in Step 2.

    If you are using Istio releases 1.1.3 - 1.1.7, the Envoy may not be hot-restarted after the new certificates are generated.

    This may because Pilot is , while the controlPlaneSecurity is enabled. In this case, restart both Galley and Pilot to ensure they load the new certificates. As an example, the following commands redeploy a pod for Galley / Pilot by removing a pod.

    1. $ kubectl delete po <galley-pod> -n istio-system
    2. $ kubectl delete po <pilot-pod> -n istio-system

    If the following command shows 1/1, that means your Pilot does not have an Envoy sidecar, otherwise, if it is showing 2/2, your Pilot is using an Envoy sidecar.

    1. $ kubectl delete po -l istio=sidecar-injector -n istio-system

    Extending Istio Self-Signed Root Certificate Lifetime

    Learn how to extend the lifetime of Istio self-signed root certificate.

    Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely.

    Istio DNS Certificate Management

    Shows how to provision and manage DNS certificates in Istio.

    A mechanism to acquire and share an application certificate and key through mounted files.

    Istio in 2020 - Following the Trade Winds

    A vision statement and roadmap for Istio in 2020.