When Domino deploys Istio mesh, out of the box, Istio provides scalable identity and X.509 certificate management for use with mTLS encryption, including periodic certificate and key rotation.Because all encrypted communication is internal, these certificates are not exposed or required for communication to any external services, such as web browsers and clients.Domino acknowledges that enterprise policies might mandate the use of corporate public key infrastructure (PKI) and necessitate the use of certificate authority (CA) certificates.
All certificates must be X.509 PEM format and keys must be passwordless.
-
Obtain the certificate files, noting the file names for use in future commands.
| Filename | Description |
|---|
root-cert.pem | Root CA certificate for PKI. |
ca-cert.pem | Intermediate CA certificate from root CA. This is the Istio CA certificate. |
ca-key.pem | Private key for Istio CA certificate. |
cert-chain.pem | Full chain from ca-cert.pem to root-cert.pem (including both certificates). |
-
Use the code in the following sample.
# Concatenate all certificates into a certificate chain file
# Assuming `N` intermediate certificates denoted as `int-ca-<i>.pem`, with `i = {1,...,N}`
cat ca-cert.pem int-ca-1.pem ... int-ca-N.pem root-cert.pem > cert-chain.pem
# Create new kubernetes secret with CA certificate files
kubectl -n istio-system create secret generic cacerts
--from-file=./ca-cert.pem
--from-file=./ca-key.pem
--from-file=./root-cert.pem
--from-file=./cert-chain.pem
In a new standard Domino install, if you follow the install process, the fleetcommand-agent (Domino installer) automatically picks up the secret that you created and Istio uses the configured certificates.
In an existing Domino installation, you must restart all the pods.