Sectigo Kubernetes ACME integration

Overview

Sectigo provides a seamless way to retrieve SSL/TLS certificates issued by the Sectigo public or private CA via the ACME server. The server needs the external account binding information to register the ACME account and issue certificates for that account when requested.

Cert-Manager is a Kubernetes native certificate manager which supports external account binding (EAB). It works by creating Issuers or Cluster Issuers in Kubernetes to provision certificates from ACME servers.

This document describes the use of a new version of the plugin which doesn’t require a separate ACME-EABTool.

The following diagram illustrates the integration architecture.

Sectigo Kubernetes ACME integration diagram

Prerequisites

The Sectigo Kubernetes ACME integration has the following requirements:

  • The ACME server URL from your SCM account

  • The ACME account KID and HMAC Key from your SCM account

    ACME account details
  • Cert-Manager v1.7 installed

Generating a Kubernetes Secret with the HMAC of your ACME account

Create a Kubernetes Secret that contains the HMAC key and use its name in your Cert-Manager Issuer file. This is how the ACME server identifies your ACME account and registers it.

To create the secret, run the following command with your preferred secret name.

kubectl create secret generic <secret name> --from-literal secret=<your HMAC key> -n <namespace-name>

To list the secrets, run the command.

kubectl get secrets -n <namespace-name>
The namespace is not mandatory. If not provided, the default namespace is used.

Kubernetes Secret can be created in various ways. For more information, see Secrets.

Using the Kubernetes Secret in the Issuer file

In Cert-Manager, an Issuer or Cluster Issuer represents the certificate authority (CA) that you request certificates from. To request a certificate, you need an Issuer or Cluster Issuer successfully registered with the ACME server. For more details, see ACME in the Cert-Manager docs.

To register an Issuer or Cluster Issue with the ACME server:

  1. Create a .yaml file for the Issuer with the following information.

    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: issue1  # The name of an Issuer
    spec:
      acme:
        email: [email protected] # A valid email address
        # for certificate expiry alerts
        server: https://acme.demo.sectigo.com  # The ACME server URL
        externalAccountBinding:
          keyID: 21b5a359ad6fa40574fab180
          keySecretRef:
            name: hmac1 # The name of the Kubernetes Secret
            # created with your HMAC
            key: secret
        privateKeySecretRef:
          name: issuer-account-key # The private key created by Cert-Manager
        solvers:
        - http01:
            ingress:
              class: nginx
  2. Create the Issuer using your .yaml file by running the following command.

    kubectl apply -f <your-issuer-name.yaml> -n <your-namespace>
    The namespace is not mandatory. If not provided, the default namespace is used.
  3. Once your Issuer is ready to be used, its status is set to True. Verify the Issuer by running the following command.

    kubectl describe issuer <your-issuer-name> -n <your-namespace>
    Verify the Issuer
  4. Create your certificate .yaml file.

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: cert1 (certificate name)
      namespace: 7scert-manager  # The namespace where the secret will be stored
    spec:
      # Secret names are always required.
      secretName: cert1.tls  # The Secret name that Contains the certificate
      commonName: ccmqa.com # The certificate domain name
      privateKey:
        algorithm: RSA (key type)
        encoding: PKCS1
        size: 2048  (key Size)
      dnsNames:
        - ccmqa.com  # The certificate domain names
      # Issuer references are always required.
      issuerRef:
        name: issuer1  # The name of an Issuer
        kind: Issuer
        group: cert-manager.io

    For more options such as domain control validation, different key types and sizes, securing Ingress, and so on, see the Cert-Manager tutorials.

  5. To provision certificates, run the following command.

    kubectl apply -f certificate-file.yaml -n <your-namespace>
  6. To verify that the certificates have been provisioned, run the command.

    kubectl get certificates -n <your-namespace>

    You can also get the certificate details by running the following command.

    kubectl describe certificate <certificate-name> -n <your-namespace>