Istio provides different mechanisms to sign workload certificates for the purpose of mutual TLS (mTLS). Here are some of the options:
- Istio Certificate Authority (CA) uses a self-signed root certificate
- Istio CA uses an administrator-specified certificate and key with an administrator-specified root certificate
- Custom CA issues keys and certificate files mounted into the sidecars
- Experimental Custom CA integration uses Kubernetes CSR API (Kubernetes 1.18+)
- External CA uses Istio CA gRPC API (either through the Istiod Registration Authority (RA) model or directly authenticating workloads and validating Subject Altenrative Name (SAN))
Tetrate Istio Distro integrates with the Private CA from AWS Certificate Manager, the GCP Certificate Authority Service (CAS), and cert-manager to sign the workload certificates.