istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/en/blog/2019/root-transition/index.md

23 lines
1008 B
Markdown
Raw Permalink Blame History

---
title: Extending Istio Self-Signed Root Certificate Lifetime
description: Learn how to extend the lifetime of Istio self-signed root certificate.
publishdate: 2019-06-07
attribution: Oliver Liu
keywords: [security, PKI, certificate, Citadel]
target_release: 1.1
---
Istio self-signed certificates have historically had a 1 year default lifetime.
If you are using Istio self-signed certificates,
you need to schedule regular root transitions before they expire.
An expiration of a root certificate may lead to an unexpected cluster-wide outage.
The issue affects new clusters created with versions up to 1.0.7 and 1.1.7.
See [Extending Self-Signed Certificate Lifetime](/docs/ops/configuration/security/root-transition/) for
information on how to gauge the age of your certificates and how to perform rotation.
{{< tip >}}
We strongly recommend you rotate root keys and root certificates annually as a security best practice.
We will send out instructions for root key/cert rotation soon.
{{< /tip >}}
Reference in New Issue View Git Blame Copy Permalink