Enabling AppViewX Signer

AppViewX Signer, the sub component of cert-orchestrator deployed in the Kubernetes cluster here solves the real-world challenge of Istio by signing the workload certificates with a trusted CA and installing the trust anchor within the cluster in auto enrolled fashion.

2 Steps to Enable the Zero Trust Security for Containers Using mTLS Certificates

  1. Enforce PKI policies to ensure the use of compliant CAs and strong crypto-standards in your service mesh configuration.
  2. Enable External CA signing mode for your Service Mesh configuration to sign workloads with mTLS certificates from your Enterprise PKI.

Enabling a Signer for mTLS Certificate Issuance

  1. Onboard Cluster - Deploy / enable AppViewX Signer as a part of the KUBE+ component (cert-orchestrator).
  2. Policy Enforcement - Define and enforce CA and Cluster Policy
  3. Onboard Mesh - Configure CSR signing mode and the Certificate Authority to be used in Service Mesh.
  4. Enable External CA Mode - Configure Service Mesh to External CA mode for CSR signing.

Onboarding a Cluster

To deploy and enable signer component, the KUBE+ component cert-orchestrator should be deployed in your Kubernetes cluster where the Service Mesh is enabled.

Onboarding a New Cluster

If you are deploying the cert-orchestrator for the first time in your cluster refer Onboaring a Cluster to obtain the deployment configuration for deploying cert-orchestrator.
Note: While generating the deployment configuration select the Feature gate Enable mTLS Certificates for Service Mesh which enables AppViewX Signer as a part of the deployment.

Onboarding an Existing Cluster

For an already onboarded cluster in KUBE+ the signer component can be enabled via modifying the deployment configuration and executing the updated installation command at your cluster.
Note: While generating the modifying the deployment configuration select the Feature gate Enable mTLS Certificates for Service Mesh which enables AppViewX Signer as a part of the deployment.

Policy Enforcement for Secure ServiceMesh

To enable mTLS certificate issuance for application workloads from your Enterprise PKI, the PKI policies should be defined and enforced for your Service Mesh deployment.

Defining and Enforcing the Policy Definition for your Service Mesh Deployment

  1. CA Integration - Integrate AppViewX KUBE+ with your Internal CA for signing the certificates for your service mesh workloads.
  2. CA Policy - Define CA Policy to enforce your organization crypto standards and map them to Certificate Groups ( to categorize certificates based on business units).
  3. Enforce Cluster Policy - Enforce dedicated CA Policy / PKI policy to one more cluster to promote secure and compliant certificate management practices.

CA Integration

Service Mesh can be integrated with your Enterprise Internal PKI only for signing application workloads with mTLS certificates.

AppViewX supports integrating with EJBCA and Microsoft CA for signing the mTLS service mesh workloads. Refer CA Integration for the steps on how to configure AppViewX KUBE+ with the respective Certificate Authority.

CA Policy

Configure certificate issuance parameters to enforce strong crypto standards for your mTLS workloads. Refer CA Policy for the steps on how to configure CA policy and Certificate Group for associate policies to certificate groups.

Cluster Policy

Configure Cluster Policy to enforce a dedicated CA/PKI policy for the service mesh external CA integration. Refer Create Policy for the steps on how to configure the Cluster Policy.
Note: For Service Mesh External CA signing the policy type must be set to CA Setting Cluster and the certificate authorities supported are EJBCA and Microsoft CA.