Issue certs to Istio service mesh

EJBCA can be used to issue certificates for Istio's mTLS.

Automate TLS Certificate Management in your Service Mech using Istio and EJBCA

Securing service mesh involves using Istio, an open-source service mesh platform, that comes with built-in support for mTLS to secure communication between services in a Kubernetes environment.

EJBCA can be used to issue certificates for Istio's mutual TLS (mTLS) authentication, providing secure and scalable certificate issuing. EJBCA allows you to start small and grow with flexibility as your certificate needs to change over time and to avoid using insecure self-signed certificates.

How to get started

Learn how to use a service mesh to issue mutual TLS certificates with EJBCA running in Kubernetes.

Following are the steps you need to take:

Deploy the EJBCA CSR Signer container
Integrate the EJBCA CSR Signer with the EJBCA REST API
Deploy an Istio service mesh
Deploy the sample Istio Bookinfo application
Check logs to validate certificates were issued

Prerequisites:

Before you begin, you need to create roles in EJBCA and set up an RA credential to be used by the EJBCA Certificate Signing Request Proxy for K8s (ejbca-csr-signer container) to authenticate to the EJBCA REST API. To learn how to configure EJBCA roles, follow the tutorial Create roles in EJBCA.
You also need to configure EJBCA by following the previous tutorials in this tutorial series Get started with EJBCA and Istio.
Additionally, you should have a basic understanding of how to use the Kubernetes command-line tool Kubectl.

Documentation

Tutorials/documentation

Documentation

Check out the supplementary documentation that goes hand-in-hand with our tutorial video.

Documentation

Docker Hub

Get your hands on the EJBCA Docker container by downloading it now from Docker Hub.

Docker Hub

YouTube

Take a peek at our YouTube playlist, and browse through some of our other tutorial videos as well.

View on YouTube

Discuss

You can ask your questions and learn from PKI specialists in the EJBCA forum on GitHub Discussions.

Engage with us on GitHub

Related open-source projects

Open-source signing software

Try SignServer for digital signing for code, documents, timestamps, and more. SignServer is a digital signing engine, making it easy for teams to automate signing workflows and support all of their signing formats and use cases.

Open-source cryptographic APIs

Bouncy Castle is one of the most widely used FIPS-certified open-source cryptographic APIs for Java and C#, allowing developers to integrate PKI security into their applications easily.