Refer to the Enabling mutual TLS within the mesh section of Chapter 11, Exploring Istio's Security Features, for a detailed discussion of mTLS.

Linkerd has made mTLS accessible and straightforward through the use of sidecar proxies by using ephemeral (short-lived) leaf certificates. It automatically uses mTLS across host boundaries to encrypt HTTP and gRPC communication between microservices that are using Linkerd as sidecar proxies. There is no need for any code at the microservice level to handle the TLS communication as the Linkerd control plane takes care of it automatically. Linkerd frees up developers' time for not having to secure communication between microservices. 

Since the Linkerd sidecar proxy is attached to a container within the same pod, the existing microservice can have unencrypted (HTTP) communication. Between a service, sidecar proxy, and Linkerd, it provides mutual TLS across pod boundaries. Linkerd allows pre-service certificate setup, it generates a root CA certificate, and uses it to create and sign a leaf certificate (X.509 v3) for each service in the application.  

Linkerd enables mTLS by default. We will validate this in this chapter and see how to use CA to integrate with Linkerd.