kubernetescert-manager

Generate TLS certificates using Self Signed Issuers

Improve this page by contributing to our documentation.

Cert Manager supports issuing certificates through different Issuers. For instance, you can use a Self Signed Issuer to issue the certificates.

The Self Signed issuer doesn’t represent a certificate authority as such, but instead denotes that certificates will “sign themselves” using a given private key.

NOTE: Find the list of available Issuers in the Cert Manager official documentation.

To configure Cert Manager, create an Issuer object. The structure of this object differs depending on the Issuer type. Self Signed issuer are really easy to configure.

To create a self signed issuer to generate a self signed certificate, declare an Issuer, a ClusterIssuer and a Certificate, as shown below:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-ca
  namespace: sandbox
spec:
  ca:
    secretName: letsencrypt-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: letsencrypt-ca
  namespace: sandbox
spec:
  isCA: true
  commonName: osm-system
  secretName: letsencrypt-ca
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    group: cert-manager.io

Next, use the ClusterIssuer to generate certificates for the applications in your Kubernetes cluster. Learn how to secure your Ingress resources.

After the Ingress resource is ready, Cert Manager will create a secret. This secret contains the generated TLS certificate. This can be checked as shown below:

$ kubectl get secret --namespace=sandbox
NAME                  TYPE                                  DATA   AGE
letsencrypt-ca        kubernetes.io/tls                     3      Xs