Sectigo Kubernetes ACME integration
Sectigo provides a seamless way to retrieve SSL/TLS certificates issued by the Sectigo public or private CA via the ACME server. The server needs the external account binding information to register the ACME account and issue certificates for that account when requested.
Cert-Manager is a Kubernetes native certificate manager which supports external account binding (EAB). It works by creating Issuers or Cluster Issuers in Kubernetes to provision certificates from ACME servers.
|This document describes the use of a new version of the plugin which doesn’t require a separate ACME-EABTool.|
The following diagram illustrates the integration architecture.
The Sectigo Kubernetes ACME integration has the following requirements:
The ACME server URL from your SCM account
The ACME account KID and HMAC Key from your SCM account
Cert-Manager v1.7 installed
Create a Kubernetes Secret that contains the HMAC key and use its name in your Cert-Manager Issuer file. This is how the ACME server identifies your ACME account and registers it.
To create the secret, run the following command with your preferred secret name.
kubectl create secret generic <secret name> --from-literal secret=<your HMAC key> -n <namespace-name>
To list the secrets, run the command.
kubectl get secrets -n <namespace-name>
|The namespace is not mandatory. If not provided, the default namespace is used.|
Kubernetes Secret can be created in various ways. For more information, see Secrets.
In Cert-Manager, an Issuer or Cluster Issuer represents the certificate authority (CA) that you request certificates from. To request a certificate, you need an Issuer or Cluster Issuer successfully registered with the ACME server. For more details, see ACME in the Cert-Manager docs.
To register an Issuer or Cluster Issue with the ACME server:
.yamlfile for the Issuer with the following information.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: issue1 # The name of an Issuer spec: acme: email: [email protected] # A valid email address # for certificate expiry alerts server: https://acme.demo.sectigo.com # The ACME server URL externalAccountBinding: keyID: 21b5a359ad6fa40574fab180 keySecretRef: name: hmac1 # The name of the Kubernetes Secret # created with your HMAC key: secret privateKeySecretRef: name: issuer-account-key # The private key created by Cert-Manager solvers: - http01: ingress: class: nginx
Create the Issuer using your
.yamlfile by running the following command.
kubectl apply -f <your-issuer-name.yaml> -n <your-namespace>
The namespace is not mandatory. If not provided, the default namespace is used.
Once your Issuer is ready to be used, its status is set to
True. Verify the Issuer by running the following command.
kubectl describe issuer <your-issuer-name> -n <your-namespace>
Create your certificate
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cert1 (certificate name) namespace: 7scert-manager # The namespace where the secret will be stored spec: # Secret names are always required. secretName: cert1.tls # The Secret name that Contains the certificate commonName: ccmqa.com # The certificate domain name privateKey: algorithm: RSA (key type) encoding: PKCS1 size: 2048 (key Size) dnsNames: - ccmqa.com # The certificate domain names # Issuer references are always required. issuerRef: name: issuer1 # The name of an Issuer kind: Issuer group: cert-manager.io
For more options such as domain control validation, different key types and sizes, securing Ingress, and so on, see the Cert-Manager tutorials.
To provision certificates, run the following command.
kubectl apply -f certificate-file.yaml -n <your-namespace>
To verify that the certificates have been provisioned, run the command.
kubectl get certificates -n <your-namespace>
You can also get the certificate details by running the following command.
kubectl describe certificate <certificate-name> -n <your-namespace>