Sectigo.com
Shop Enterprise Partners Resources

Using the Kubernetes Secret

In cert-manager, an Issuer or Cluster Issuer represents the certificate authority (CA) that you request certificates from. To request a certificate, you need an Issuer or Cluster Issuer successfully registered with the ACME server. For more details, see ACME in cert-manager docs.

To register an Issuer or Cluster Issue with the ACME server:

  1. Create a .yaml file for the Issuer.

    apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: issue1  # The name of an Issuer
spec:
  acme:
    email: [email protected] # A valid email address
    # for certificate expiry alerts
    server: https://acme.demo.sectigo.com  # The ACME server URL
    externalAccountBinding:
      keyID: 21b5a359ad6fa40574fab180
      keySecretRef:
        name: hmac1 # The name of the Kubernetes Secret
        # created with your HMAC
        key: secret
    privateKeySecretRef:
      name: issuer-account-key # The private key created by Cert-Manager
    solvers:
    - http01:
        ingress:
          class: nginx

  2. Create the Issuer using your .yaml file.

    kubectl apply -f <your-issuer-name.yaml> -n <your-namespace>
    The namespace is not mandatory. If not provided, the default namespace is used.

  3. Once your Issuer is ready to be used, its status is set to True. Verify the Issuer.

    kubectl describe issuer <your-issuer-name> -n <your-namespace>
    Verify the Issuer

  4. Create your certificate .yaml file.

    apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert1 (certificate name)
  namespace: 7scert-manager  # The namespace where the secret will be stored
spec:
  # Secret names are always required.
  secretName: cert1.tls  # The Secret name that Contains the certificate
  commonName: ccmqa.com # The certificate domain name
  privateKey:
    algorithm: RSA (key type)
    encoding: PKCS1
    size: 2048  (key Size)
  dnsNames:
    - ccmqa.com  # The certificate domain names
  # Issuer references are always required.
  issuerRef:
    name: issuer1  # The name of an Issuer
    kind: Issuer
    group: cert-manager.io

    For more options such as domain control validation, different key types and sizes, or securing Ingress, see cert-manager tutorials.

  5. Enroll certificates.

    kubectl apply -f certificate-file.yaml -n <your-namespace>

  6. Verify that the certificates have been enrolled.

    kubectl get certificates -n <your-namespace>

    You can also get the certificate details with the following command.

    kubectl describe certificate <certificate-name> -n <your-namespace>