Using the Kubernetes Secret
In cert-manager, an Issuer or Cluster Issuer represents the certificate authority (CA) that you request certificates from. To request a certificate, you need an Issuer or Cluster Issuer successfully registered with the ACME server. For more details, see ACME in cert-manager docs.
To register an Issuer or Cluster Issue with the ACME server:
-
Create a
.yaml
file for the Issuer.apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: issue1 # The name of an Issuer spec: acme: email: [email protected] # A valid email address # for certificate expiry alerts server: https://acme.demo.sectigo.com # The ACME server URL externalAccountBinding: keyID: 21b5a359ad6fa40574fab180 keySecretRef: name: hmac1 # The name of the Kubernetes Secret # created with your HMAC key: secret privateKeySecretRef: name: issuer-account-key # The private key created by Cert-Manager solvers: - http01: ingress: class: nginx
-
Create the Issuer using your
.yaml
file.kubectl apply -f <your-issuer-name.yaml> -n <your-namespace>
The namespace is not mandatory. If not provided, the default namespace is used. -
Once your Issuer is ready to be used, its status is set to
True
. Verify the Issuer.kubectl describe issuer <your-issuer-name> -n <your-namespace>
-
Create your certificate
.yaml
file.apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cert1 (certificate name) namespace: 7scert-manager # The namespace where the secret will be stored spec: # Secret names are always required. secretName: cert1.tls # The Secret name that Contains the certificate commonName: ccmqa.com # The certificate domain name privateKey: algorithm: RSA (key type) encoding: PKCS1 size: 2048 (key Size) dnsNames: - ccmqa.com # The certificate domain names # Issuer references are always required. issuerRef: name: issuer1 # The name of an Issuer kind: Issuer group: cert-manager.io
For more options such as domain control validation, different key types and sizes, or securing Ingress, see cert-manager tutorials.
-
Enroll certificates.
kubectl apply -f certificate-file.yaml -n <your-namespace>
-
Verify that the certificates have been enrolled.
kubectl get certificates -n <your-namespace>
You can also get the certificate details with the following command.
kubectl describe certificate <certificate-name> -n <your-namespace>