package istio.v1.auth

Get desktop application:
View/edit binary Protocol Buffers messages

Service for managing certificates issued by the CA.

• rpc CreateCertificate (IstioCertificateRequest, IstioCertificateResponse)

  citadel.proto:54

  Using provided CSR, returns a signed certificate.

  message IstioCertificateRequest

  citadel.proto:30

  Certificate request message. The authentication should be based on: 1. Bearer tokens carried in the side channel; 2. Client-side certificate via Mutual TLS handshake. Note: the service implementation is REQUIRED to verify the authenticated caller is authorize to all SANs in the CSR. The server side may overwrite any requested certificate field based on its policies.

  • string csr = 1

    PEM-encoded certificate request. The public key in the CSR is used to generate the certificate, and other fields in the generated certificate may be overwritten by the CA.

  • int64 validity_duration = 3

    Optional: requested certificate validity period, in seconds.

  • optional google.protobuf.Struct metadata = 4

    $hide_from_docs Optional: Opaque metadata provided by the XDS node to Istio. Supported metadata: WorkloadName, WorkloadIP, ClusterID

  message IstioCertificateResponse

  citadel.proto:45

  Certificate response message.

  • repeated string cert_chain = 1

    PEM-encoded certificate chain. The leaf cert is the first element, and the root cert is the last element.