Tutorial: Configuring a Custom Certificate Authority

Overview

In this tutorial we’ll take a look at how to set a custom certificate authority (CA) which will issue the certificates used for mutual TLS using SuperGloo.

When mutual TLS is enabled between services, client and server certificates are generated for each service by the mesh which manages them. By default those certificates are created using a self-signed root certificate and key generated by the mesh, which acts as certificate authority for the services in the mesh.

Using SuperGloo, we can generate certs for use in our mesh using root certificates created by an external CA. This tutorial will walk through the steps required to set the root certs used for mTLS in Istio.

Tutorial

Let’s demonstrate the ability to rotate the root certificates used by Istio. First we’ll rotate the certs, then we’ll verify that the pods in our mesh were updated by directly inspecting the certificates loaded by one of our sidecar proxies.

First, ensure you’ve:

Now we’ll start by creating the set of files we’ll need to replace the generated certs used by Istio:

Note: Use your own certificates here for anything other than testing:

cat > root-cert.pem <<EOF
-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv
MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB
FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN
8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu
IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw
uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv
YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw
zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh
euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ
ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W
tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK
WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy
AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx
xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a
3g==
-----END CERTIFICATE-----
EOF

cat > ca-cert.pem <<EOF
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x
ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9
iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z
APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K
M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom
ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8
LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T
BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC
AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w
A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8
PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y
05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN
Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn
aFKltOc+RAjzDklcUPeG4Y6eMA==
-----END CERTIFICATE-----
EOF

cat > cert-chain.pem <<EOF
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD
QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx
OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x
ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9
iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z
APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K
M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom
ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8
LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T
BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC
AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w
A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8
PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y
05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN
Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn
aFKltOc+RAjzDklcUPeG4Y6eMA==
-----END CERTIFICATE-----
EOF

cat > ca-key.pem <<EOF
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1
3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd
Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd
PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs
ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ
t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B
C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN
ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU
8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg
oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf
QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w
J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp
FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/
CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e
DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE
Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN
cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt
yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO
wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY
qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D
Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5
cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7
mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa
8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+
lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw==
-----END RSA PRIVATE KEY-----
EOF

ls *.pem

ca-cert.pem  ca-key.pem  cert-chain.pem  root-cert.pem

Now let’s create a SuperGloo TLS secret from these certs:

supergloo create secret tls --name my-root-ca \
    --cacert ca-cert.pem \
    --cakey ca-key.pem \
    --rootcert root-cert.pem \
    --certchain cert-chain.pem
+------------+
| TLSSECRET  |
+------------+
| my-root-ca |
+------------+

Confirm the secret was created:

kubectl --namespace supergloo-system get secret my-root-ca --output yaml
apiVersion: v1
data:
  ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURuekNDQW9lZ0F3SUJBZ0lKQU9OMWlmckJaMi9CTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdMTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFU01CQUdBMVVFQnd3SlUzVnVibmwyWVd4bApNUTR3REFZRFZRUUtEQVZKYzNScGJ6RU5NQXNHQTFVRUN3d0VWR1Z6ZERFUU1BNEdBMVVFQXd3SFVtOXZkQ0JEClFURWlNQ0FHQ1NxR1NJYjNEUUVKQVJZVGRHVnpkSEp2YjNSallVQnBjM1JwYnk1cGJ6QWdGdzB4T0RBeE1qUXgKT1RFMU5URmFHQTh5TVRFM01USXpNVEU1TVRVMU1Wb3dXVEVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVApDa05oYkdsbWIzSnVhV0V4RWpBUUJnTlZCQWNUQ1ZOMWJtNTVkbUZzWlRFT01Bd0dBMVVFQ2hNRlNYTjBhVzh4CkVUQVBCZ05WQkFNVENFbHpkR2x2SUVOQk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXl6Q3hyL3h1MHp5NXJWQmlzbzlmZmdsMDBiUkt2Qi9IRjRBWDkveXRtWjZIcXN5MTNYSVFrOC91L0J5OQppQ3ZWd1hJTXZ5VDBDYmlKcS9hUEVqNW1KVXkwbHpiclVzMTNvbmVYcXJQWGY3aXIzSHpkUncrU0JoWGxzaDl6CkFQWkpYY0Y5M0RKVTNHYWJQS3dCdkdKMElWTUpQSUZDdURJUHdXNGtGQUk3Ui84QTVMU2RQckZ4NkV5TVhsN0sKTThqZWtDMHk5RG5UajgzL2ZZNzJXY1dYN1lUcGdaZUJIQWVlUU9QVFoyS1liRmFsMmdMc2FyNjlQZ0ZTMFRvbQpFU085TTE0WWl0N216QjFXREsyejlnM3Irekx4RU5kSjVKRy9ac2tLZStUTzREaXFpNU9KdC9oOHlzcFMxY2s4CkxKdENvbGU5OTE5dW1CeWc1b3J1ZmxxSWxRSURBUUFCb3pVd016QUxCZ05WSFE4RUJBTUNBZ1F3REFZRFZSMFQKQkFVd0F3RUIvekFXQmdOVkhSRUVEekFOZ2d0allTNXBjM1JwYnk1cGJ6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBbHRIRWhoeUFzdmU0SzRiTGdCWHRId1d6bzZTcEZ6ZEFmWHBMU2hwT0pOdFFORVJiM3FnNmlVR1FkWSt3CkEyQnBtU2tLcjNSdy82Q2xQNStjQ0c3ZkdvY1BhWmgrYys0TnhtOXN1TXVaQlpDdE5PZVlPTUlmdkNQY0NTKzgKUFEvMGhDNC8wSjNXSkt6R0Jzc2FhTXVmSnh6Z0ZQUHRESjk5OGtZOHJsUk9naGRTYVZ0NDIzL2pYSUFZblAzWQowNW44VEdFUkJqN1RMZHRJVmJ0VUl4M0pIQW8zUFdKeXdBNm1FRG92Rk1KaEpFUnA5c0RISXIxQmJoWEsxVEZOClo2SE5INmdJbmtTU010dkM0UHRlamI3NDlQVGFlUFJQRjdJRC8vZXEvM0FIOFVLNTBGM1RRY0xqRXFXVXNKVW4KYUZLbHRPYytSQWp6RGtsY1VQZUc0WTZlTUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  ca-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeXpDeHIveHUwenk1clZCaXNvOWZmZ2wwMGJSS3ZCL0hGNEFYOS95dG1aNkhxc3kxCjNYSVFrOC91L0J5OWlDdlZ3WElNdnlUMENiaUpxL2FQRWo1bUpVeTBsemJyVXMxM29uZVhxclBYZjdpcjNIemQKUncrU0JoWGxzaDl6QVBaSlhjRjkzREpVM0dhYlBLd0J2R0owSVZNSlBJRkN1RElQd1c0a0ZBSTdSLzhBNUxTZApQckZ4NkV5TVhsN0tNOGpla0MweTlEblRqODMvZlk3MldjV1g3WVRwZ1plQkhBZWVRT1BUWjJLWWJGYWwyZ0xzCmFyNjlQZ0ZTMFRvbUVTTzlNMTRZaXQ3bXpCMVdESzJ6OWczcit6THhFTmRKNUpHL1pza0tlK1RPNERpcWk1T0oKdC9oOHlzcFMxY2s4TEp0Q29sZTk5MTl1bUJ5ZzVvcnVmbHFJbFFJREFRQUJBb0lCQUdaSThmblVpbm1kNVI2QgpDOTQxWEczWEZzNkdBdVVtM2hOUGNVRnVHbm50bXYvNUkwZ0JwcVN5Rk8wbkRxWWc0dThKbWE4VFRDSWttbkZOCm9nSWVGVStMaUpGaW5SM0d2d1d6VEU4clR6MUZXb2FZK005UDRFTmQvSTRwVkx4VVB1U0toZkEyQ2hBVk91cFUKOEY3RDlRL2RmQlhRUUNUM1ZvVWFDK0ZpcWpMNEh2SWhqaTF6SXFhcXBLN2ZDaEdQcmFDLzRXSHdMTU56STBaZwpvRGRBYW53VnlnZXR0dm02S0Q3QWVLemhLOTRnWDFQY25zT2kzS3V6UVl2a2VuUUUxTTYvSzdZdEVjNXFYQ1lmClFFVGowVUN6QjU1YnRnZEYzNkJHb1pYZjBMd0hxeHlzOXViZkh1aHdLQnBZMHhnMno0LzRSWFpOaGZJRGloM3cKSjNtaWhjRUNnWUVBNkZ0UTBjZmgwWm0wM09QRHBCR2M2c2RLeFR3NmFCRHRFM0t6dGZJMmhsMjZ4SFFvZUZxcApGbVYvVGJuRXhucHB3K2dXSnR3eDdJZnZvd1VEOHVSUjJQME0yd0djdFdyTXBuYUVZVGlMQVBoWHNqNjlIU00vCkNZcmg1NEtNMFlXeWp3Tmh0VXp3Yk9Ucmgxald0VDlIVjVlN2F5OUF0azNVV2xqdVI3NENGTVVDZ1lFQTM5MmUKRFZvRExFMFh0YnlzbWRsZlNmZmhpUUxQOXNUOCtiZi96WW5yOEVxLzRMV1FvT3RqRUFSYnVDajNPcTdiUDhJRQpWejQ1Z1QxbUVFM0lhY0M5bmVHd3VFYTZpY0JpdVFpODZOVzhpbFkvWmJPV3JSUExPaGszekxpWit5cWt0K3NOCmNxV3gwSmtJaDdJTUtXSTRkVlFnazRJMGpjRlA3dk5HL1NvNEFaRUNnWUVBNDI2ZVNQZ3hIUXdxY0J1d242TnQKeUpDUnEwVXNsamdiRmZJcjNXZmIzdUZYc250UU1aM3I2N1FsUzFzT05JZ1ZobUJoYm1BUnJjZlEwK3hRMVNxTwp3cW5PTDRBQWQ4SzExaW9qb1ZYTEdZUDdzc2llS3lzWXhLcGdQRThZcnUwQ3ZlRTlma3gwK09HSmVNMklPNWhZCnFIQW9UdDNOcGFQQXV6NVkzWGdxYVZFQ2dZQTBUT05TL1RlR2p4QTkvakZZMUNibDhncDM1dmRORUtLRmVNNUQKWjdoK2NBZzU2RkU4dHlGeXFZSUFHVm9CRkw3V08yNm1MenhpREVVZkEvMFJiOTBjMkpCZnpPNWhwbGVxSVBkNQpjZzNWUitjUnpJNGtLMTZzV1Izbkx5MlNOMWs2T3FqdW92VlM1WjNQamZJM2JPSUJ6MEM1Rlk5UG10MGcxeWM3Cm1EUnpjUUtCZ1FDWFdDWlN0YmRqZXdhTGQ1dTVIaGJ3OHRJV0ltTVZmY2ZzM0gxRk42NjlMTHBiQVJNOFJ0QWEKOGRZd0RWSG1XbWV2Yi9XWDAzTGlTRStHQ2pDQk83OWZhMXFjNVJLQWFscUgvMU9ZeFR1dllPZVRVZWJTcmc4KwpsUUZsUDJPQzRHR29sS3JONkhWV2R4dGYrRitTZGp3WDZxR0NmWWtYSlJMWVhJRlNGakZldXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
  cert-chain.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURuekNDQW9lZ0F3SUJBZ0lKQU9OMWlmckJaMi9CTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdMTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFU01CQUdBMVVFQnd3SlUzVnVibmwyWVd4bApNUTR3REFZRFZRUUtEQVZKYzNScGJ6RU5NQXNHQTFVRUN3d0VWR1Z6ZERFUU1BNEdBMVVFQXd3SFVtOXZkQ0JEClFURWlNQ0FHQ1NxR1NJYjNEUUVKQVJZVGRHVnpkSEp2YjNSallVQnBjM1JwYnk1cGJ6QWdGdzB4T0RBeE1qUXgKT1RFMU5URmFHQTh5TVRFM01USXpNVEU1TVRVMU1Wb3dXVEVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVApDa05oYkdsbWIzSnVhV0V4RWpBUUJnTlZCQWNUQ1ZOMWJtNTVkbUZzWlRFT01Bd0dBMVVFQ2hNRlNYTjBhVzh4CkVUQVBCZ05WQkFNVENFbHpkR2x2SUVOQk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0MKQVFFQXl6Q3hyL3h1MHp5NXJWQmlzbzlmZmdsMDBiUkt2Qi9IRjRBWDkveXRtWjZIcXN5MTNYSVFrOC91L0J5OQppQ3ZWd1hJTXZ5VDBDYmlKcS9hUEVqNW1KVXkwbHpiclVzMTNvbmVYcXJQWGY3aXIzSHpkUncrU0JoWGxzaDl6CkFQWkpYY0Y5M0RKVTNHYWJQS3dCdkdKMElWTUpQSUZDdURJUHdXNGtGQUk3Ui84QTVMU2RQckZ4NkV5TVhsN0sKTThqZWtDMHk5RG5UajgzL2ZZNzJXY1dYN1lUcGdaZUJIQWVlUU9QVFoyS1liRmFsMmdMc2FyNjlQZ0ZTMFRvbQpFU085TTE0WWl0N216QjFXREsyejlnM3Irekx4RU5kSjVKRy9ac2tLZStUTzREaXFpNU9KdC9oOHlzcFMxY2s4CkxKdENvbGU5OTE5dW1CeWc1b3J1ZmxxSWxRSURBUUFCb3pVd016QUxCZ05WSFE4RUJBTUNBZ1F3REFZRFZSMFQKQkFVd0F3RUIvekFXQmdOVkhSRUVEekFOZ2d0allTNXBjM1JwYnk1cGJ6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBbHRIRWhoeUFzdmU0SzRiTGdCWHRId1d6bzZTcEZ6ZEFmWHBMU2hwT0pOdFFORVJiM3FnNmlVR1FkWSt3CkEyQnBtU2tLcjNSdy82Q2xQNStjQ0c3ZkdvY1BhWmgrYys0TnhtOXN1TXVaQlpDdE5PZVlPTUlmdkNQY0NTKzgKUFEvMGhDNC8wSjNXSkt6R0Jzc2FhTXVmSnh6Z0ZQUHRESjk5OGtZOHJsUk9naGRTYVZ0NDIzL2pYSUFZblAzWQowNW44VEdFUkJqN1RMZHRJVmJ0VUl4M0pIQW8zUFdKeXdBNm1FRG92Rk1KaEpFUnA5c0RISXIxQmJoWEsxVEZOClo2SE5INmdJbmtTU010dkM0UHRlamI3NDlQVGFlUFJQRjdJRC8vZXEvM0FIOFVLNTBGM1RRY0xqRXFXVXNKVW4KYUZLbHRPYytSQWp6RGtsY1VQZUc0WTZlTUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  root-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ3VENDQXRXZ0F3SUJBZ0lKQU9JUkRoT2N4c3g2TUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdMTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFU01CQUdBMVVFQnd3SlUzVnVibmwyWVd4bApNUTR3REFZRFZRUUtEQVZKYzNScGJ6RU5NQXNHQTFVRUN3d0VWR1Z6ZERFUU1BNEdBMVVFQXd3SFVtOXZkQ0JEClFURWlNQ0FHQ1NxR1NJYjNEUUVKQVJZVGRHVnpkSEp2YjNSallVQnBjM1JwYnk1cGJ6QWdGdzB4T0RBeE1qUXgKT1RFMU5URmFHQTh5TVRFM01USXpNVEU1TVRVMU1Wb3dnWXN4Q3pBSkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSQpEQXBEWVd4cFptOXlibWxoTVJJd0VBWURWUVFIREFsVGRXNXVlWFpoYkdVeERqQU1CZ05WQkFvTUJVbHpkR2x2Ck1RMHdDd1lEVlFRTERBUlVaWE4wTVJBd0RnWURWUVFEREFkU2IyOTBJRU5CTVNJd0lBWUpLb1pJaHZjTkFRa0IKRmhOMFpYTjBjbTl2ZEdOaFFHbHpkR2x2TG1sdk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQgpDZ0tDQVFFQTM4dUVmQWF0elFZcWJhTG91MW54SjM0OFZ5Tnp1bVlNbUREdDVwYkxZUnJDbzJwUzNraTFaVkROCjh5eElFTkpGa3BLdzlVY3RUR2RiTkd1R0NpU0RQN3VxRjZCaVZuK1hLQVUvM3BuUEZCYlRkMFMzM05xYkRFUXUKSVlyYUhTbC90U2s1ckFSYkMxRHJRUmRaNm5ZRDJLcmFwQzRnMFhialk2UHU1bDR5N0tuRndTdW5ucDl1cXBadwp1RVJ2L0JndW1KNVFsU2VTZUNtaG5EaEx4b29HOHc1dEMyeVZyMXlEcHNPSEdpbVAvbWM4Q2RzNFYwemZJaFF2Cll6ZklIcGhoRTlES2ptbmpCWUxPZGo0YXljdjQ0akhuT0djK3d2QTFKcXNsNjB0M3dnbXMrekpUaVd3QUJMZHcKemdNQWE3eXhMeW9WMCtQaVZRdWQ2ays4Wm9JRmN3SURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVVPVVlHdFV5aApldXhPNGxHZTRPcDF5OE5Wb2Fnd0h3WURWUjBqQkJnd0ZvQVVPVVlHdFV5aGV1eE80bEdlNE9wMXk4TlZvYWd3CkRBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBTlhMeWZBczdKOXJtQmFtR0p2UFoKbHR4MzkwV3h6ekxGUXNCUkFhSDZyZ2VpcEJxM2RSOXFFakF3YjZCVEYrUk9tdFF6WCtmanN0Q1JySnhDdG85Vwp0QzhLdlhUZFJmSWpmQ0Naamh0SU9CS3FSeEU0S0pWL1JCZnY5eEQ1bHlqdENQQ1FsM0lhNk1TZjQyTithYkFLCldDZFU2S0NvakE4V0I5WWhTQ3p6YTNhUWJQVHpkMjZPQy9KYmxKcFZndHVzNWY4SUx6Q3N6K3BiTWltZ1RraHkKQXVoWVJwcEphUTI0QVBpanNFQzkrR0lhVktQZzVJd1dyb2lQb2orUVhOcHNodXZxVlFRWHZHYVJpcTR6b1NueAp4QUp6K3c4dGpyRFdjZjgyNlZOMTRJTCsvQ21xbGcvcklmQjVDSGR3VklmV3dwdUdCNjZxL1VpUGVnWk1OczhhCjNnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
kind: Secret
metadata:
  annotations:
    resource_kind: '*v1.TlsSecret'
  creationTimestamp: 2019-03-19T19:59:49Z
  name: my-root-ca
  namespace: supergloo-system
  resourceVersion: "451018"
  selfLink: /api/v1/namespaces/supergloo-system/secrets/my-root-ca
  uid: 8d4bbd3d-4a81-11e9-9c8c-3c78d8017c4a
type: Opaque

Finally, we must tell SuperGloo to use this secret for certificate provisioning in our mesh:

supergloo set mesh rootcert --target-mesh supergloo-system.istio-istio-system \
    --tls-secret supergloo-system.my-root-ca
+--------------------+-------+------+
|        MESH        | TYPE  | MTLS |
+--------------------+-------+------+
| istio-istio-system | Istio | true |
+--------------------+-------+------+

Note: target-mesh should be set to the NAMESPACE.NAME of the managed mesh you’d like to configure. To view the list of available meshes, run kubectl get mesh.supergloo.solo.io --all-namespaces

Once that’s done, we’ll use some kubectl commands to inspect the certificates Istio has distributed to the Bookinfo app. Note that it may take several minutes for the custom certificates to be swapped in place of the old.

Let’s download the root certificate was loaded to the sidecar for one of the bookinfo pods:

RATINGSPOD=`kubectl --namespace default get pods -l app=ratings -o jsonpath='{.items[0].metadata.name}'`
kubectl exec -n default -it $RATINGSPOD -c istio-proxy -- /bin/cat /etc/certs/root-cert.pem > pod-root-cert.pem

Using diff, we should see that the pod-root-cert.pem matches our own root-cert.pem:

openssl x509 -in root-cert.pem -text -noout > root-cert.crt.txt
openssl x509 -in pod-root-cert.pem -text -noout > pod-root-cert.crt.txt
diff root-cert.crt.txt pod-root-cert.crt.txt