Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0005 - Root CA Certificate Is Invalid or Has Expired

The root CA certificate is either invalid (missing required fields or improperly formatted) or has expired, causing potential failures in mutual TLS (mTLS) or other secure connections.

Recommendation: Verify and Update Your Root CA Certificate

By verifying and updating your root CA certificate to ensure it is valid and properly configured, you can maintain secure communication across your Istio-enabled environment.

Examples

  1. Secret Containing an Expired Root CA Certificate

    apiVersion: v1
    kind: Secret
    metadata:
      name: root-ca
      namespace: istio-system
    type: Opaque
    data:
      ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR... # Expired certificate
      ca-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWT...

    Explanation: The root CA certificate inside the ca-cert.pem file has passed its notAfter date. Any workloads relying on this certificate will fail to establish a secure connection once the certificate is expired.

  2. Secret Missing Required Certificate Fields

    apiVersion: v1
    kind: Secret
    metadata:
      name: root-ca
      namespace: istio-system
    type: Opaque
    data:
      ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR... # Missing Subject or SAN fields
      ca-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWT...

    Explanation: The provided CA certificate is missing critical fields (e.g., Subject or SAN) required for correct certificate validation. This could lead to trust issues or handshake failures in the service mesh.

  3. Secret Missing ca-cert.pem

    apiVersion: v1
    kind: Secret
    metadata:
      name: root-ca
      namespace: istio-system
    type: Opaque
    data:
      # ca-cert.pem is completely missing
      ca-key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWT...

    Explanation: The Secret does not contain the ca-cert.pem file required for establishing trust. Without this file, Istio workloads cannot authenticate peer certificates or set up secure connections using mTLS.

Recommendation

  1. Renew or Replace the Root CA Certificate

    Generate or obtain a new certificate before the current certificate expires, ensuring it includes required fields (e.g., Subject, SAN) and has an appropriate notAfter date.

    # Example: Generate a self-signed CA certificate with OpenSSL (for testing)
    openssl req -x509 -newkey rsa:4096 -nodes -keyout ca-key.pem -out ca-cert.pem -days 365 \
      -subj "/C=US/ST=Example/L=Example/O=Example/CN=example-ca"

  2. Verify Certificate Validity Period and Configuration

    Regularly check the validity dates of your root CA certificate, ensuring it is not expired and that all required fields (e.g., Subject, SAN) are present.

    # Check dates of a certificate
    openssl x509 -noout -dates -in ca-cert.pem