Self-signed certificates are public key certificates that are not issued by a certificate authority (CA). You’d use these certificates for development and testing.

Create the certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=your-domain-name Inc./CN=your-domain-name' -keyout your-domain-name.key -out your-domain-name.crt

openssl req -out your-domain-name.csr -newkey rsa:2048 -nodes -keyout your-domain-name.key -subj "/CN=your-domain-name/O=Test SAM from your-domain-name"

openssl x509 -req -days 365 -CA your-domain-name.crt -CAkey your-domain-name.key -set_serial 0 -in your-domain-name.csr -out your-domain-name.crt

Use the certificate in Istio ingress gateway

The secret with certificates must be called istio-ingressgateway-certs, and we have to deploy it to the istio-system namespace. That way, the Istio ingress gateway will load the secret automatically.

kubectl delete secret istio-ingressgateway-certs -n istio-system
kubectl create secret tls istio-ingressgateway-certs -n istio-system --key your-domain-name.key --cert your-domain-name.crt

Update the Gateway resource to use the certificate and private key:

cat <<EOF | kubectl apply -f -
kind: Gateway
  name: public-gateway
    istio: ingressgateway
  - port:
      number: 443
      name: https
      protocol: HTTPS
      mode: SIMPLE
      # These are coming from the istio-ingressgateway-certs secret
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    - test.your-domain-name

How to get your Java app to accept the certificate

Solving Java HTTPS connection with SSL certificate Error:

PKIX path building failed: unable to find valid certification path to requested target

Import the cert to the Java Keystore

sudo keytool -importcert -file your-domain-name.crt -noprompt -alias test.your-domain-name.cert -storepass changeit -keystore $JAVA_HOME/lib/security/cacerts

How to add the certificate to a distroless docker image

The only way I got working was to create a new docker images and on create time run the keytool command.


# Create a directory to store the CA certificate
WORKDIR /certs

# Copy your CA certificate into the image
COPY certs/your-domain-name.crt /certs/your-domain-name.crt

RUN [\