Using the Kubernetes Secret

In cert-manager, an Issuer or Cluster Issuer represents the certificate authority (CA) that you request certificates from. To request a certificate, you need an Issuer or Cluster Issuer successfully registered with the ACME server. For more details, see ACME in cert-manager docs.

To register an Issuer or Cluster Issue with the ACME server:

  1. Create a .yaml file for the Issuer.

    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: issue1  # The name of an Issuer
    spec:
      acme:
        email: [email protected] # A valid email address
        # for certificate expiry alerts
        server: https://acme.demo.sectigo.com  # The ACME server URL
        externalAccountBinding:
          keyID: 21b5a359ad6fa40574fab180
          keySecretRef:
            name: hmac1 # The name of the Kubernetes Secret
            # created with your HMAC
            key: secret
        privateKeySecretRef:
          name: issuer-account-key # The private key created by Cert-Manager
        solvers:
        - http01:
            ingress:
              class: nginx
  2. Create the Issuer using your .yaml file.

    kubectl apply -f <your-issuer-name.yaml> -n <your-namespace>
    The namespace is not mandatory. If not provided, the default namespace is used.
  3. Once your Issuer is ready to be used, its status is set to True. Verify the Issuer.

    kubectl describe issuer <your-issuer-name> -n <your-namespace>
    Verify the Issuer
  4. Create your certificate .yaml file.

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: cert1 (certificate name)
      namespace: 7scert-manager  # The namespace where the secret will be stored
    spec:
      # Secret names are always required.
      secretName: cert1.tls  # The Secret name that Contains the certificate
      commonName: ccmqa.com # The certificate domain name
      privateKey:
        algorithm: RSA (key type)
        encoding: PKCS1
        size: 2048  (key Size)
      dnsNames:
        - ccmqa.com  # The certificate domain names
      # Issuer references are always required.
      issuerRef:
        name: issuer1  # The name of an Issuer
        kind: Issuer
        group: cert-manager.io

    For more options such as domain control validation, different key types and sizes, or securing Ingress, see cert-manager tutorials.

  5. Enroll certificates.

    kubectl apply -f certificate-file.yaml -n <your-namespace>
  6. Verify that the certificates have been enrolled.

    kubectl get certificates -n <your-namespace>

    You can also get the certificate details with the following command.

    kubectl describe certificate <certificate-name> -n <your-namespace>