Skip to content

Latest commit

 

History

History
 
 

certs

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
ca-cert-alt-2.pem
ca-cert-alt-2.pem
 
 
ca-cert-alt.pem
ca-cert-alt.pem
 
 
ca-cert.pem
ca-cert.pem
 
 
ca-key-alt-2.pem
ca-key-alt-2.pem
 
 
ca-key-alt.pem
ca-key-alt.pem
 
 
ca-key.pem
ca-key.pem
 
 
cert-chain-alt-2.pem
cert-chain-alt-2.pem
 
 
cert-chain-alt.pem
cert-chain-alt.pem
 
 
cert-chain.pem
cert-chain.pem
 
 
generate-workload.sh
generate-workload.sh
 
 
leaf-workload-bar-cert.pem
leaf-workload-bar-cert.pem
 
 
leaf-workload-foo-cert.pem
leaf-workload-foo-cert.pem
 
 
root-cert-alt.pem
root-cert-alt.pem
 
 
root-cert-combined-2.pem
root-cert-combined-2.pem
 
 
root-cert-combined.pem
root-cert-combined.pem
 
 
root-cert.pem
root-cert.pem
 
 
workload-bar-cert.pem
workload-bar-cert.pem
 
 
workload-bar-key.pem
workload-bar-key.pem
 
 
workload-bar-root-certs.pem
workload-bar-root-certs.pem
 
 
workload-foo-cert.pem
workload-foo-cert.pem
 
 
workload-foo-key.pem
workload-foo-key.pem
 
 
workload-foo-root-certs.pem
workload-foo-root-certs.pem
 
 

README.md

Istio plugin CA sample certificates

This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. Instructions are available here.

The included sample files are:

  • root-cert.pem: root CA certificate.
  • root-cert-alt.pem: alternative CA certificate.
  • root-cert-combined.pem: combine root-cert.pem and root-cert-alt.pem into a single file.
  • root-cert-combined-2.pem: combine root-cert.pem and two root-cert-alt.pem into a single file.
  • ca-[cert|key].pem: Citadel intermediate certificate and corresponding private key.
  • ca-[cert-alt|key-alt].pem: alternative intermediate certificate and corresponding private key.
  • ca-[cert-alt-2|key-alt-2].pem: alternative intermediate certificate and corresponding private key signed by root-cert-alt.pem.
  • cert-chain.pem: certificate trust chain.
  • cert-chain-alt.pem: alternative certificate chain.
  • cert-chain-alt-2.pem: alternative certificate chain signed by root-cert-alt.pem.
  • workload-foo-[cert|key].pem: workload certificate and key for URI SAN spiffe://trust-domain-foo/ns/foo/sa/foo signed by ca-cert.key.
  • workload-bar-[cert|key].pem: workload certificate and key for URI SAN spiffe://trust-domain-bar/ns/bar/sa/bar signed by ca-cert.key.
  • workload-foo-root-certs.pem: root and intermediate CA certificates for foo workload certificate.
  • workload-bar-root-certs.pem: root and intermediate CA certificates for bar workload certificate.
  • leaf-workload-foo-cert.pem: leaf workload certificate for URI SAN spiffe://trust-domain-foo/ns/foo/sa/foo.
  • leaf-workload-bar-cert.pem: leaf workload certificate for URI SAN spiffe://trust-domain-bar/ns/bar/sa/bar.

The workload cert and key are generated by:

 ./generate-workload.sh foo
 ./generate-workload.sh bar

To generate certs signed by the alternative root root-cert-alt.pem

./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root
./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root