Trusted Certificate Authority

Authservice and Istio automatically consume the combined trust bundle (Private PKI + DoD + Public CAs) when those features are enabled in the UDS Cluster Configuration. This ensures seamless TLS verification for SSO and internal service communication without requiring manual duplication of certificates.

To configure, set CA_BUNDLE_CERTS in your uds-config.yaml. If you also enable CA_BUNDLE_INCLUDE_DOD_CERTS or CA_BUNDLE_INCLUDE_PUBLIC_CERTS, these will be automatically merged into the trust chain used by Authservice and Istio. For details on configuring this variable, see the Central Trust Bundle Management documentation.

For example, you can specify the CA_BUNDLE_CERTS variable in your uds-config.yaml:

variables:
  core:
    CA_BUNDLE_CERTS: <base64 encoded certificate authority>

Legacy Support

The CA_CERT variable is still supported for backwards compatibility but is deprecated. Use CA_BUNDLE_CERTS for new deployments.

See configuring Istio Ingress for the relevant documentation on configuring ingress certificates.