Back
Interactive Explainer

Istio Certificate Management & SPIFFE

Certificate lifecycle in Istio: istiod CA, SPIFFE identity, cert rotation, and integration with external CAs.

🎯Key Takeaways
istiod = default CA (good for dev)
Production: integrate with HashiCorp Vault or cloud CA
Trust domain: shared across clusters for multi-cluster mTLS

Istio Certificate Management & SPIFFE

Certificate lifecycle in Istio: istiod CA, SPIFFE identity, cert rotation, and integration with external CAs.

~1 min read
Be the first to complete!
What you'll learn
  • istiod = default CA (good for dev)
  • Production: integrate with HashiCorp Vault or cloud CA
  • Trust domain: shared across clusters for multi-cluster mTLS

Certificate Lifecycle

istiod is the default CA. For production: integrate with external CAs (Vault PKI, AWS Private CA, Google CAS) via the Istio CA plugin interface. Cert rotation: Envoy agents receive new certs 24h before expiry. SPIFFE Trust Domain: cluster.local by default, use custom domain for multi-cluster federation.

Key takeaways

  • istiod = default CA (good for dev)
  • Production: integrate with HashiCorp Vault or cloud CA
  • Trust domain: shared across clusters for multi-cluster mTLS

Related concepts

Explore topics that connect to this one.

Suggested next

Often learned after this topic.

multi cluster istio

Ready to see how this works in the cloud?

Switch to Career Paths for structured paths (e.g. Developer, DevOps) and provider-specific lessons.

View role-based paths

Sign in to track your progress and mark lessons complete.

Continue learning

multi cluster istio

Discussion

Questions? Discuss in the community or start a thread below.

Join Discord

In-app Q&A

Sign in to start or join a thread.