istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/certs/README.md (about) 1 # Istio plugin CA sample certificates 2 3 This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such 4 a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. 5 Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/). 6 7 The included sample files are: 8 9 - `root-cert.pem`: root CA certificate. 10 - `root-cert-alt.pem`: alternative CA certificate. 11 - `root-cert-combined.pem`: combine `root-cert.pem` and `root-cert-alt.pem` into a single file. 12 - `root-cert-combined-2.pem`: combine `root-cert.pem` and two `root-cert-alt.pem` into a single file. 13 - `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. 14 - `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key. 15 - `ca-[cert-alt-2|key-alt-2].pem`: alternative intermediate certificate and corresponding private key signed by `root-cert-alt.pem`. 16 - `cert-chain.pem`: certificate trust chain. 17 - `cert-chain-alt.pem`: alternative certificate chain. 18 - `cert-chain-alt-2.pem`: alternative certificate chain signed by `root-cert-alt.pem`. 19 - `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. 20 - `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. 21 - `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate. 22 - `workload-bar-root-certs.pem`: root and intermediate CA certificates for bar workload certificate. 23 - `leaf-workload-foo-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo`. 24 - `leaf-workload-bar-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar`. 25 26 The workload cert and key are generated by: 27 28 ```shell script 29 ./generate-workload.sh foo 30 ./generate-workload.sh bar 31 ``` 32 33 To generate certs signed by the alternative root `root-cert-alt.pem` 34 35 ```shell script 36 ./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root 37 ./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root 38 ```