Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. OpenShift Service Mesh and cert-manager

The cert-manager tool provides a unified API to manage X.509 certificates for applications in a Kubernetes environment. You can use cert-manager to integrate with public or private key infrastructures (PKI) and automate certificate renewal.

The cert-manager tool ensures the certificates are valid and up-to-date by attempting to renew certificates at a configured time before they expire.

The cert-manager tool provides integration with Istio through an external agent called istio-csr. The istio-csr agent handles certificate signing requests (CSR) from Istio proxies and the controlplane in the following ways:

  1. Verifying the identity of the workload.
  2. Creating a CSR through cert-manager for the workload.

The cert-manager tool then creates a CSR to the configured CA Issuer, which signs the certificate.

Note

Red Hat provides support for integrating with istio-csr and cert-manager. Red Hat does not provide direct support for the istio-csr or the community cert-manager components. The use of community cert-manager shown here is for demonstration purposes only.

Prerequisites

  • One of these versions of cert-manager:

    • Red Hat cert-manager Operator 1.10 or later
    • community cert-manager Operator 1.11 or later
    • cert-manager 1.11 or later
  • Red Hat OpenShift Service Mesh 3.0 or later
  • An IstioCNI instance is running in the cluster
  • Istio CLI (istioctl) tool is installed
  • jq is installed
  • Helm is installed

4.1.1. Installing cert-manager
Copy link

You can integrate cert-manager with OpenShift Service Mesh by deploying istio-csr and then creating an Istio resource that uses the istio-csr agent to process workload and control plane certificate signing requests. This example creates a self-signed Issuer, but any other Issuer can be used instead.

Important

You must install cert-manager before installing your Istio resource.

Procedure

  1. Create the istio-system namespace by running the following command: 

    $ oc create namespace istio-system
    Copy to Clipboard Toggle word wrap

  2. Create the root issuer by creating an Issuer object in a YAML file.

    1. Create an Issuer object similar to the following example:

      Example issuer.yaml file

      apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
  namespace: istio-system
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: istio-ca
    namespace: istio-system
spec:
  isCA: true
  duration: 87600h # 10 years
  secretName: istio-ca
  commonName: istio-ca
  privateKey:
    algorithm: ECDSA
    size: 256
  subject:
    organizations:
      - cluster.local
      - cert-manager
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: istio-ca
  namespace: istio-system
spec:
  ca:
    secretName: istio-ca
---
      Copy to Clipboard Toggle word wrap

    2. Create the objects by running the following command: 

      $ oc apply -f issuer.yaml
      Copy to Clipboard Toggle word wrap

    3. Wait for the istio-ca certificate to contain the "Ready" status condition by running the following command: 

      $ oc wait --for=condition=Ready certificates/istio-ca -n istio-system
      Copy to Clipboard Toggle word wrap

  3. Copy the istio-ca certificate to the cert-manager namespace so it can be used by istio-csr:

    1. Copy the secret to a local file by running the following command: 

      $ oc get -n istio-system secret istio-ca -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.pem
      Copy to Clipboard Toggle word wrap

    2. Create a secret from the local certificate file in the cert-manager namespace by running the following command: 

      $ oc create secret generic -n cert-manager istio-root-ca --from-file=ca.pem=ca.pem
      Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top