istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/en/blog/2019/root-transition/index.md

1008 B
Raw Permalink Blame History

title description publishdate attribution keywords target_release
Extending Istio Self-Signed Root Certificate Lifetime Learn how to extend the lifetime of Istio self-signed root certificate. 2019-06-07 Oliver Liu
security
PKI
certificate
Citadel
1.1

Istio self-signed certificates have historically had a 1 year default lifetime. If you are using Istio self-signed certificates, you need to schedule regular root transitions before they expire. An expiration of a root certificate may lead to an unexpected cluster-wide outage. The issue affects new clusters created with versions up to 1.0.7 and 1.1.7.

See Extending Self-Signed Certificate Lifetime for information on how to gauge the age of your certificates and how to perform rotation.

{{< tip >}} We strongly recommend you rotate root keys and root certificates annually as a security best practice. We will send out instructions for root key/cert rotation soon. {{< /tip >}}