Citadel provides authentication and authorization features. Its authentication feature, which has built-in identity and credential management, enables service-to-service and end user communication. Its authorization feature is used to control who can access your services. Citadel is a Public Key Infrastructure (PKI) and provides and rotates certificates for the services. 

Istio really shines in service identity, RBAC, and end-to-end mTLS. Security implementation does not require making any changes to the application's code. The Istio security model is implemented through the following:

• Citadel is Istio's central certificate authority for issuing keys and certificates and their rotation.
• Pilot distributes the authentication policies and provides secure naming services using SPIFFE.
• Mixer is the central place that provides authorization and auditing policies.
• Envoy is the default proxy in Istio. Istio uses Envoy for edge proxies through Istio gateways to provide secure communication between clients and servers. 

In a distributed dynamic system, managing certificates and rotation can become very time-consuming, complex, and error-prone when not all of the clients are known in advance. Citadel takes away this complexity through a self-service model to establish end-to-end encryption (mTLS) between microservices by injecting certificates into the microservices.

Citadel provides a self-signed root certificate and private key, which it uses to sign the workload certificates. Citadel can also use a customer-supplied root certificate and key.

Next, we will look at the built-in PKI generate certificates and automatically rotate keys to minimize exposure to compromised keys.