Skip to content

Istio CSR overview

Istio CSR is an alternative implementation of Istio's CA server component that uses cert-manager to authenticate, authorize, and sign incoming certificate signing requests from Istio workloads.

Istio CSR enables the use of any issuer supported by cert-manager, enabling secure off-cluster storage of CA material, improving security and enabling automation which helps prevent outages related to TLS certificates.

Istio CSR provides exactly the same gRPC service interface as Istio's built-in CA server, seamlessly matching its behavior for typical installations, while allowing certificate management through cert-manager. To do this, Istio CSR must be installed in your cluster first so that when you install Istio it can be configured from the start to issue through cert-manager.

For more information on how Istio requests certificates, see Istio: Identity and certificate management.