Skip to main content

Public preview: Istio add-on for AKS now supports plug-in certificate authority (CA)

Published date: January 31, 2024

In the Istio-based service mesh add-on (currently in public preview) for Azure Kubernetes Service, by default the Istio certificate authority (CA) generates a self-signed root certificate and key and uses them to sign the workload certificates.

To protect the root CA key, you should use a root CA, which runs on a secure machine offline. You can use the root CA to issue intermediate certificates to the Istio CAs that run in each cluster.

The Istio add-on now allows you to bring your own certificates and keys for Istio CA. An Istio CA can sign workload certificates using the administrator-specified certificate and key and distribute an administrator-specified root certificate to the workloads as the root of trust.

  • Azure Kubernetes Service (AKS)
  • Features