istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/certs/README.md (about)

     1  # Istio plugin CA sample certificates
     2  
     3  This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such
     4  a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA.
     5  Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/).
     6  
     7  The included sample files are:
     8  
     9  - `root-cert.pem`: root CA certificate.
    10  - `root-cert-alt.pem`: alternative CA certificate.
    11  - `root-cert-combined.pem`: combine `root-cert.pem` and `root-cert-alt.pem` into a single file.
    12  - `root-cert-combined-2.pem`: combine `root-cert.pem` and two `root-cert-alt.pem` into a single file.
    13  - `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key.
    14  - `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key.
    15  - `ca-[cert-alt-2|key-alt-2].pem`: alternative intermediate certificate and corresponding private key signed by `root-cert-alt.pem`.
    16  - `cert-chain.pem`: certificate trust chain.
    17  - `cert-chain-alt.pem`: alternative certificate chain.
    18  - `cert-chain-alt-2.pem`: alternative certificate chain signed by `root-cert-alt.pem`.
    19  - `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`.
    20  - `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`.
    21  - `workload-foo-root-certs.pem`: root and intermediate CA certificates for foo workload certificate.
    22  - `workload-bar-root-certs.pem`: root and intermediate CA certificates for bar workload certificate.
    23  - `leaf-workload-foo-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo`.
    24  - `leaf-workload-bar-cert.pem`: leaf workload certificate for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar`.
    25  
    26  The workload cert and key are generated by:
    27  
    28  ```shell script
    29   ./generate-workload.sh foo
    30   ./generate-workload.sh bar
    31  ```
    32  
    33  To generate certs signed by the alternative root `root-cert-alt.pem`
    34  
    35  ```shell script
    36  ./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root
    37  ./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root
    38  ```