Significance of Issuer CA Mode
Issuer CA mode for External CA signing plays a vital role in optimizing the speed of certificate issuance to your application workloads running as a part of the service mesh infrastructure.
-
Issuer Mode via AppViewX : In this mode of issuing a mTLS certificate for a workload, the CSR requests are sent to AppViewX via API from the Cert-orchestrator (AppViewX signer) deployed in your Kubernetes cluster to the cluster (or) environment where AppViewX is deployed.
Example : Assume an on premises k8s cluster where your workloads are running and the CSR requests are sent to the AppViewX environment provided as a SaaS service to your enterprise. In this case the network hops and delays for the CSR request to land to AppViewX and then signed by CA will not be optimal.
Also, the CSR generated by service mesh (Istio in this case) is valid for 10 seconds only for a workload and the entire process of signing the certificate by CA via AppViewX should be completed within this time frame.
AppViewX recommends to use Issuer mode as AppViewX only when the clusters running workload and AppViewX environment are nearer to each other.
-
Issuer Mode via Air-Gapped : In this mode of issuing a mTLS certificate for a workload, the AppViewX signer component running as a part of Cert-orchestrator generates a SUB CA / Issuing CA and the certificate and key used for signing the workloads are kept in the memory of the signer component itself for faster mTLS certificate issuance.
The signer component also keeps the signing certificate and the private key encrypted in the k8s secret for reusing it when the cert-orchestrator pods or clusters are restarted.
AppViewX recommends using Issuer mode as Air-Gapped when your AppViewX subscription is a SaaS service and when the clusters running workload and AppViewX environment are not at the nearest proximity.