istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/certs/README.md (about) 1 # Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust 2 3 The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: 4 - `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default 5 `kubeconfig` is used for accessing the cluster. 6 - `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. 7 8 The table below describes the targets supported by both Makefiles. 9 10 Make Target | Makefile | Description 11 ------ | -------- | ----------- 12 `root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. 13 `fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. 14 `$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. 15 `$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. 16 `clean` | Both | Removes any generated root certificates, keys, and intermediate files. 17 18 For example: 19 20 ```bash 21 make -f Makefile.selfsigned.mk root-ca 22 ``` 23 24 Note that the Makefile generates long-lived intermediate certificates. While this might be 25 acceptable for demonstration purposes, a more realistic and secure deployment would use 26 short-lived and automatically renewed certificates for the intermediate CAs.