Skip to main content
Version: 1.5.x

Common Setup

This document describes the common setup required to proceed with the specific instructions for the external services under the External CA Integration document.

You may safely skip sections of this document if you have already set them up.

Installing cert-manager

Run the following commands to install cert-manager in your control plane cluster. Make sure that you have pointed your Kubernetes context to point to the correct cluster before issuing helm commands.

For more details, please check the cert-manager documentation.

cert-manager

You will need to have cert-manager 1.7.2 or newer installed in your control plane clusters

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.7.2 \
  --set installCRDs=true

The details for installing istio-csr differs between each setup type, and is covered in their own sections.

istio-csr

You will need to have istio-csr 0.4.2 or newer installed in your control plane clusters.

Generating The Root CA Certificate and Key

note

You may skip this section if you already have your own CA certificate and/or an intermediate CA certificate to use with Istio

Make sure that you have the following setup in your openssl.conf. A CA certificate must include the basicConstraints name with the CA parameter set to TRUE.

#openssl.conf
[ v3_ca ]
basicConstraints       = CA:TRUE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage               = keyCertSign, cRLSign

Execute the following command to generate the certificate and the CA key. Make sure to specify -extensions v3_ca in the command.

openssl req \
  -x509 \
  -sha256 \
  -nodes \
  -extensions v3_ca \
  -days 365 \
  -newkey rsa:2048 \
  -subj '/O=TSB/CN=test.tetrate.info' \
  -keyout ca.key \
  -out ca.crt

Once you have generated the certificate, execute the following command to display the contents:

openssl x509 -in ca.crt -text -noout

Then check the following properties are included:

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE