External Certificate Authorities

You can configure Cisco Panoptica to use an external certificate authority (CA) to generate certificates for secure TLS communication between services on your clusters. This CA, and these certificates, can be used instead of the self-signed certificates generated by Istio CA by default.

The external CA, when integrated with Panoptica will typically generate an intermediate certificate. This certificate is used to generate certificates for individual workloads deployed on a cluster (the cluster must also be configured to use these certificates, as described below).

External certificates are managed by the external CA. Panoptica , when integrated with an external CA, will automatically renew certificates as they expire, and seamlessly and transparently generate new certificates for workloads, without interrupting the operation of these services.

Services running on a cluster (or on multiple clusters) that communicate with mTLS must have certificates issued by the same CA, whether internally self-signed certificates from Istio CA, or certificates generated by an external CA.