cert-manager
certificate management
Kubernetes
ACME protocol
certificate issuance

cert-manager.io/v1 Certificate no acme field

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Cert-manager is an essential component in Kubernetes for managing certificates. It automates the issuance and renewal of TLS certificates from various sources. One of the most significant aspects of cert-manager is its flexibility, specifically its ability to work with different issuers and certificate formats. While cert-manager is commonly known for its integration with ACME (Automated Certificate Management Environment) protocols like Let's Encrypt, it also supports other types of certificates that do not require ACME. This article focuses on certificates under `cert-manager.io/v1` that do not utilize the `acme` field, discussing the configurations, use cases, and implications of these certificates.

Overview of Certificate Resources in cert-manager

Certificates in cert-manager are Kubernetes resources that define the desired specification and configuration for TLS certificates. The `cert-manager.io/v1` API provides a robust specification to define numerous details about the certificate including, but not limited to, issuer details, subjects, and DNS names.

The Certificate resource essentially serves as a blueprint for cert-manager to follow when requesting and renewing certificates. It includes information necessary for cert-manager to understand which issuer to contact, what domains the certificate should cover, and any additional settings that may influence the certificate's lifecycle.

Configuring Non-ACME Certificates

For environments where ACME is not a viable option, cert-manager provides alternative issuers like self-signed, CA, and Vault issuers. These can be defined in the Certificate resource without the `acme` field.

Example of a Non-ACME Certificate Configuration

Let's delve into a basic example to outline how a non-ACME certificate configuration can be constructed:

  • Secret Name: Stores the generated certificate and private key.
  • Issuer Reference: Determines which issuer will sign the certificate. In this example, `ca-issuer` is referenced.
  • Common Name and DNS Names: Specify the domain names the certificate should protect.
  • Trust: Non-ACME certificates often rely on internal trust stores. Ensure that all consuming parties have proper root and intermediate certificate configurations.
  • Rotation: Regularly update and rotate certificates, especially those issued by internal CAs, to mitigate potential security vulnerabilities.

Course illustration
Course illustration

All Rights Reserved.