Skip to main content
Skip table of contents

Tutorial - Use EJBCA with cert-manager

Learn how to set up EJBCA to issue certificates with the cert-manager using the EJBCA cert-manager external issuer.

cert-manager is an open-source tool for issuing certificates in Kubernetes, integrating with various Public Key Infrastructure (PKI) providers. EJBCA integrates with cert-manager as an external certificate authority, enabling native integration to seamlessly request certificates through cert-manager, issued from EJBCA.

This tutorial is intended for users who wish to issue certificates in Kubernetes that has cert-manager deployed and wants to use a world-class PKI for the certificate issuance. Whether you have standardized on EJBCA as the corporate PKI, need a PKI that runs in a container, or just want to try something new, this integration is for you.

In this tutorial, you will learn how to: 

  • Create keys and certificate signing request (CSR) to request certificates from EJBCA for the EJBCA cert-manager external issuer​

  • Configure a new Registration Authority (RA) role in EJBCA for the cert-manager integration

  • Deploy cert-manager using a Helm chart

  • Deploy the EJBCA cert-manager external issuer using a Helm chart

  • Create an issuer and cluster issuer

  • Issue certificates with the EJBCA cert-manager external issuer

Prerequisites

Before you begin, you need:

  • SSH Access to the Kubernetes host.

  • Internet access to download the cert-manager components, EJBCA cert-manager external issuer container, and helm charts​.

  • An environment configured following the tutorial videos EJBCA - Getting started with Kubernetes.​ 

Step 1 - Configure EJBCA for the cert-manager integration

The cert-manager RA role will allow the EJBCA cert-manager external issuer credential to connect to EJBCA using the REST API to issue and revoke certificates. Follow these steps to create a new role for the cert-manager RA:

  1. Go to the EJBCA Administration user interface using a web browser.

  2. In the EJBCA Admin UI, under System Functions, click Roles and Access Rules.

  3. Next to the list of available roles, click Add.

  4. For Role name, specify RA-cert-manager and click Add.
    The Roles Management page now lists the RA-cert-manager role.

  5. To update the access rules for the role, click Access Rules for the RA-cert-manager role.

  6. On the Edit Access Rules page, edit the following:

    • For Role Template, select RA Administrators.

    • For Authorized CAs, select My PKISubCA-G1.

    • For End Entity Profiles, select TLS Client Profile and TLS Server Profile.

  7. Click Save to store the updated access rules for the role.

  8. At the top right of the Edit Access Rules page, click Members.

  9. Members are defined by an attribute from the certificate DN and the serial number:

    • Match with: Select X509:CN, Common name.

    • CA: Verify that Management CA is selected for the CA to match on.

    • Match Value: Specify the name value from the certificate, in this example: "cert-manager-ra-01". Note that this is a case-sensitive matching.

  10. Click Add to add the user to the role.

You have now created a role for the cert-manager RA and can continue preparing to deploy the EJBCA cert-manager external issuer and cert-manager.

Step 2 - Create Key, Certificate Signing Request (CSR), and get the certificate for the RA credential

The EJBCA cert-manager external issuer requires a RA credential to connect to EJBCA for issuing and revoking certificates using the REST API. Follow these steps to create the RA credential:

Create the Key and CSR

  1. SSH to the MicroK8s test host that has EJBCA deployed and configured.

  2. In your terminal, enter the following to create a directory to organize all the files for this tutorial:

    BASH
    $ mkdir cert-manager
  3. Change to the cert-manager directory:

    BASH
    $ cd cert-manager
  4. Create an OpenSSL configuration file for the EJBCA cert-manager external issuer RA certificate:

    BASH
    $ cat > cert-manager-ra-01.conf <<EOF
    [req]
    default_bits = 2048
    prompt = no
    encrypt_key = yes
    distinguished_name = kubelet_serving
    req_extensions = v3_req
    [ kubelet_serving ]
    C = SE
    O = Keyfactor Community
    CN = cert-manager-ra-01
    [ v3_req ]
    keyUsage = digitalSignature
    extendedKeyUsage = clientAuth
    
    EOF
  5. Generate the private key and create the CSR using the OpenSSL configuration file:

    BASH
    $ openssl req -new -newkey rsa:2048 -nodes \
    -keyout cert-manager-ra-01-key.pem -sha256 \
    -out cert-manager-ra-01.csr -config cert-manager-ra-01.conf
  6. Output the contents of the cert-manager-ra-01.csr to use with an upcoming step:

    BASH
    $ cat cert-manager-ra-01.csr
    • The output is similar to the following:

      BASH
      -----BEGIN CERTIFICATE REQUEST-----
      MIICwDCCAagCAQAwSDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
      b21tdW5pdHkxGzAZBgNVBAMMEmNlcnQtbWFuYWdlci1yYS0wMTCCASIwDQYJKoZI
      hvcNAQEBBQADggEPADCCAQoCggEBAM9o0DQ051oUyTRgW8mqOYzVpnJmeUcld0Q4
      Elg6OpqpWKqcIL0Avk3vsjpBQ9TTm5GUIOMgkaGVwfyiHefT8VReUD2XAouJSe+s
      INiaTZV4fsEndyQ2DEPhX9Yho2oV7fFMQPJATFZ9cZm4JczKfXtt7ya0aoyYH23t
      hB+ORT6eF0Eiv7bu/kl3/KlZlg0YxZUbYqKZQq4HbYJtXgEWErLVDKrLbyrc9uF8
      5y97eF2N4NmCM+EBS3Smd3UyrGqtuZFhJNF1ST3z9VQoTZBea+ZZO1j5E5fg5i8j
      Zmrp82rjJWx0WlXpwC6lXL70afGDyzQjF/YTTHA1LgsiUpbkkP8CAwEAAaAzMDEG
      CSqGSIb3DQEJDjEkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMC
      MA0GCSqGSIb3DQEBCwUAA4IBAQC3S/u936GVC8ew2K9WtjhHX92/6UYtJ1VJ5wgy
      KElepwl4Lsp5i+3MFIFRYlYtypM1p9wZjRRnaBcnwmAsXqoYXjoHo5TXlcDXdxcB
      GRbuv25MoUCxdqWgDEqK3oui/qD3L/3YYLNpygToaDWFPBop8vEpj8qmjcZ4CVkw
      SvwELGeihJP0Ja+T+0q1NhnyjnYTXYUawxbND/Ma9OSJHnlCkHdprgZq0JB3H2Zq
      h1yYU/qxh1HdIqmbiRzvD6OqsY/FwvMUwF23DNu5r7N6urv9/sS+KaCZTx3T7ezp
      umTihw5jwzifQRKyq0A3yW8FtQ8J1hDXCDAvolLJxlUnDfaV
      -----END CERTIFICATE REQUEST-----

Submit the CSR to EJBCA to get the certificate

  1. Go to the EJBCA RA Web user interface using a web browser.

  2. Click Make New Request and update the following:

    • Select RA-Administrator for the Certificate Type.

    • Select Provided by user for Key-pair generation.

    • Paste the contents of the cert-manager-ra-01.csr from the terminal window into the CSR text field  (the PEM output in the terminal window), such as:

      CODE
      -----BEGIN CERTIFICATE REQUEST-----
      MIICwDCCAagCAQAwSDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
      b21tdW5pdHkxGzAZBgNVBAMMEmNlcnQtbWFuYWdlci1yYS0wMTCCASIwDQYJKoZI
      hvcNAQEBBQADggEPADCCAQoCggEBAM9o0DQ051oUyTRgW8mqOYzVpnJmeUcld0Q4
      Elg6OpqpWKqcIL0Avk3vsjpBQ9TTm5GUIOMgkaGVwfyiHefT8VReUD2XAouJSe+s
      INiaTZV4fsEndyQ2DEPhX9Yho2oV7fFMQPJATFZ9cZm4JczKfXtt7ya0aoyYH23t
      hB+ORT6eF0Eiv7bu/kl3/KlZlg0YxZUbYqKZQq4HbYJtXgEWErLVDKrLbyrc9uF8
      5y97eF2N4NmCM+EBS3Smd3UyrGqtuZFhJNF1ST3z9VQoTZBea+ZZO1j5E5fg5i8j
      Zmrp82rjJWx0WlXpwC6lXL70afGDyzQjF/YTTHA1LgsiUpbkkP8CAwEAAaAzMDEG
      CSqGSIb3DQEJDjEkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMC
      MA0GCSqGSIb3DQEBCwUAA4IBAQC3S/u936GVC8ew2K9WtjhHX92/6UYtJ1VJ5wgy
      KElepwl4Lsp5i+3MFIFRYlYtypM1p9wZjRRnaBcnwmAsXqoYXjoHo5TXlcDXdxcB
      GRbuv25MoUCxdqWgDEqK3oui/qD3L/3YYLNpygToaDWFPBop8vEpj8qmjcZ4CVkw
      SvwELGeihJP0Ja+T+0q1NhnyjnYTXYUawxbND/Ma9OSJHnlCkHdprgZq0JB3H2Zq
      h1yYU/qxh1HdIqmbiRzvD6OqsY/FwvMUwF23DNu5r7N6urv9/sS+KaCZTx3T7ezp
      umTihw5jwzifQRKyq0A3yW8FtQ8J1hDXCDAvolLJxlUnDfaV
      -----END CERTIFICATE REQUEST-----
    • Click Upload CSR.

    • Enter cert-manager-ra-01 for the Username.

    • Click Download PEM full chain.

  3. Return to the terminal window and open a new tab or terminal window.

  4. In your terminal, enter the following to upload the cert-manager-ra-01.pem to the MicroK8s VM:

    BASH
    $ scp cert-manager-ra-01.pem user@172.16.170.187:~/cert-manager/cert-manager-ra-01.crt

The certificate.pem file is renamed to .crt when uploaded to the K8’s host

  1. Return to the original terminal window opened for connecting to the Kubernetes server.

  2. Output the contents of the cert-manager-ra-01.crt file with the cat command to copy the ManagementCA cert PEM blob:

    BASH
    $ cat cert-manager-ra-01.crt
    • The output is similar to the following:

      CODE
      Subject: CN=cert-manager-ra-01,O=Keyfactor Community,C=SE
      Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
      -----BEGIN CERTIFICATE-----
      MIIEfzCCAmegAwIBAgIUdTaxyI6z9SZTQy6cM9ByquOsan4wDQYJKoZIhvcNAQEL
      BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
      Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yNDAxMTExNzEyMzJaFw0yNTAxMDkx
      NzEyMzFaMEgxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29tbXVu
      aXR5MRswGQYDVQQDDBJjZXJ0LW1hbmFnZXItcmEtMDEwggEiMA0GCSqGSIb3DQEB
      AQUAA4IBDwAwggEKAoIBAQDEdW7YbbQnWeYCzt4eE+dKg2rZ9gWD8JIJFsPo8Qbi
      aCI5otyyqXSdEki/9Z7Zsjo2nhFVG6HhsAsO02e29sJ54QERcAUEHatf1502fwWL
      Or7P5e4tLd6SsNeuJ74DC8dkppCHYdsS2X9xutqJnYvuQhqnfg84mlUG3my4qAMB
      G6ultKt8eCq39Be9/LTau9Ur08SWOluvf6DcpHlhtOJzfD3/UOrS4viGwy4hloau
      xSCQCKMUp51ifj0rGygvNHi58qdsAV2kz1/VCzWu7A4T5paeBAlAaD9shA8aci3R
      4x/KEG90gBXViZE/DJDOvxf7/Y7S04hY2ZRl7bnpZNslAgMBAAGjZzBlMB8GA1Ud
      IwQYMBaAFNf+MZRDSTxfobte/gWABCwE86DSMBMGA1UdJQQMMAoGCCsGAQUFBwMC
      MB0GA1UdDgQWBBTi+OUsnFKQHh1QWYIZNtIguiGJ9TAOBgNVHQ8BAf8EBAMCB4Aw
      DQYJKoZIhvcNAQELBQADggIBAAo6rV5JdKRsS8Z31YDdFWRG4D4pU/j15o7wiwSe
      FiVNACkYiXndoPZP+KaJVFt0FNxw/4ErGxgPLRS/XV9HgTAzCAbAAeGd2mHrMaEX
      eS1G4aQZd7AOgIDZ7+qSrlBdHpb8vXG6tfFKQcCpZxZmTEcTDfZt/YGS+IHxv9oZ
      NX7aLz+pOookjvsse4kS1FMYFUDlL5znzqMHLNwmUUzzsC11TiUZ7unG3k3ekkLG
      F3PSEeMp+y7zmy+skvFQYVDwFywc/2fd+JJ4oFDEPAklM+L+LtmLkhyLHtZzACO0
      LeSUnmVVInfQPT1uEtpL0pmbAbXspNf0nDzSxVhnr/dvN1xfKkFnTc2yvxyZ83Yu
      1DzDnLgu2HsP/1veyr6E8z8iD7o61CbSt/WiBeEDYNDgs8IUWDgVn026pUoTL8/p
      dtcAc+g+C0cr2ox6W1o4e2inQjYaXu2MlKkaAx4YTakqC1sXlb8NWRk8l7UUil+L
      0e+mFZDxIW3i8MepgXPDa05m4b1ZoXa3EAR8e2++f8nXqJlcjoKQOLLTP64t2r1p
      mrCjH+xke47uV36MaqIZ/W8Zx7CW1Cwt4wddzniySUjIfa8oB3OSvoHqx7kLfUvc
      VQWumG2ETi87VSAePUI1DG4aksqTIJ6ZI87Qd/16OUP+9ivwtyPnlemWoMnLiPu7
      GNPr
      -----END CERTIFICATE-----
      Subject: CN=ManagementCA,O=Keyfactor Community,C=SE
      Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
      -----BEGIN CERTIFICATE-----
      MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL
      BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
      Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw
      ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj
      dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC
      DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp
      KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8
      fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O
      tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja
      8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG
      zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT
      X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/
      q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K
      kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh
      PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q
      GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB
      o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA
      BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E
      BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX
      tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n
      JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5
      CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd
      uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx
      H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi
      VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R
      2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu
      eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc
      GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs
      zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP
      qMN+i82CAMeU
      -----END CERTIFICATE-----
  3. Select the PEM blob for the ManagementCA and copy it:

    BASH
    Subject: CN=ManagementCA,O=Keyfactor Community,C=SE
    Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL
    BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
    Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw
    ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj
    dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC
    DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp
    KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8
    fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O
    tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja
    8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG
    zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT
    X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/
    q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K
    kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh
    PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q
    GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB
    o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA
    BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E
    BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX
    tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n
    JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5
    CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd
    uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx
    H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi
    VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R
    2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu
    eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc
    GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs
    zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP
    qMN+i82CAMeU
    -----END CERTIFICATE-----
  4. Create the ManagementCA.crt file:

    BASH
    $ vim ManagementCA.crt
  5. Enter the letter i to insert text.

  6. Paste the ManagementCA PEM blob into the file:

    BASH
    Subject: CN=ManagementCA,O=Keyfactor Community,C=SE
    Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL
    BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
    Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw
    ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj
    dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC
    DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp
    KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8
    fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O
    tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja
    8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG
    zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT
    X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/
    q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K
    kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh
    PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q
    GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB
    o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA
    BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E
    BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX
    tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n
    JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5
    CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd
    uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx
    H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi
    VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R
    2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu
    eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc
    GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs
    zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP
    qMN+i82CAMeU
    -----END CERTIFICATE-----
  7. Enter :wq to save and close the file.

The EJBCA cert-manager external issuer RA credential has been created and uploaded to the K8’s server. Continue to the next step to deploy cert-manager and the EJBCA cert-manager external issuer.

Step 3 - Deploy cert-manager

To issue certificates using EJBCA and cert-manager, the cert-manager must be deployed. Using Helm and applying the Kubernetes Custom Resource Definitions (CRDs) gets cert-manager up and running quickly.

To deploy cert-manager, follow these steps:

  1. Continue from the terminal window of the previous step.

  2. Add the cert-manager helm repository:

    BASH
    $ helm repo add jetstack https://charts.jetstack.io
    • The output is similar to the following:

      CODE
      "jetstack" has been added to your repositories
  3. Update the helm repository cache:

    BASH
    $ helm repo update
    • The output is similar to the following:

      BASH
      Hang tight while we grab the latest from your chart repositories...
      ...Successfully got an update from the "hashicorp" chart repository
      ...Successfully got an update from the "jetstack" chart repository
      Update Complete. ⎈Happy Helming!⎈
  4. Install the cert-manager Custom Resource Definitions:

    BASH
    $ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml
    • The output is similar to the following:

      BASH
      customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io configured
      customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io configured
      customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io configured
      customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io configured
      customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io configured
      customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io configured
  5. Deploy cert-manager using helm:

    BASH
    $ helm install \
      cert-manager jetstack/cert-manager \
      --namespace cert-manager \
      --create-namespace \
      --version v1.13.3
    • The output is similar to the following:

      BASH
      NAME: cert-manager
      LAST DEPLOYED: Thu Jan 25 10:52:05 2024
      NAMESPACE: cert-manager
      STATUS: deployed
      REVISION: 1
      TEST SUITE: None
      NOTES:
      cert-manager v1.13.3 has been deployed successfully!
      
      In order to begin issuing certificates, you will need to set up a ClusterIssuer
      or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
      
      More information on the different types of issuers and how to configure them
      can be found in our documentation:
      
      https://cert-manager.io/docs/configuration/
      
      For information on how to configure cert-manager to automatically provision
      Certificates for Ingress resources, take a look at the `ingress-shim`
      documentation:
      
      https://cert-manager.io/docs/usage/ingress/

Deployment of cert-manager is now completed, you can continue to the next step to deploy the EJBCA cert-manager external issuer.

Step 4 - Deploy EJBCA cert-manager external issuer

To complete the integration, the EJBCA cert-manager external issuer container is deployed using Helm. This container is an external issuer for cert-manager which uses the EJBCA REST API to submit certificate requests and revoke certificates.

To deploy the EJBCA cert-manager external issuer, follow these steps:

  1. Continue from the terminal window of the previous step.

  2. Create the name space for the EJBCA cert-manager external issuer:

    BASH
    $ kubectl create namespace ejbca-cert-manager
    • The output is similar to the following:

      BASH
      namespace/ejbca-cert-manager created
  3. Create the secret for the cert-manager-ra-01 credential:

    BASH
    $ kubectl -n ejbca-cert-manager create secret tls ejbca-secret --cert=cert-manager-ra-01.crt --key=cert-manager-ra-01-key.pem
    • The output is similar to the following:

      BASH
      secret/ejbca-secret created
  4. Create the secret for the EJBCA TLS chain:

    BASH
    $ kubectl -n ejbca-cert-manager create secret generic ejbca-ca-secret --from-file=ca.crt=ManagementCA.crt
    • The output is similar to the following:

      BASH
      secret/ejbca-ca-secret created
  5. Add the EJBCA cert-manager external issuer helm repository:

    BASH
    $ helm repo add ejbca-issuer https://keyfactor.github.io/ejbca-cert-manager-issuer
    • The output is similar to the following:

      BASH
      "ejbca-issuer" has been added to your repositories
  6. Update the helm repository cache:

    CODE
    $ helm repo update
    • The output is similar to the following:

      CODE
      Hang tight while we grab the latest from your chart repositories...
      ...Successfully got an update from the "ejbca-issuer" chart repository
      ...Successfully got an update from the "hashicorp" chart repository
      ...Successfully got an update from the "jetstack" chart repository
      Update Complete. ⎈Happy Helming!⎈
  7. Deploy the EJBCA cert-manager external issuer:

    BASH
    $ helm install ejbca-cert-manager-issuer ejbca-issuer/ejbca-cert-manager-issuer --namespace ejbca-cert-manager --set image.tag="1.3.2"
    • The output is similar to the following:

      BASH
      NAME: ejbca-cert-manager-issuer
      LAST DEPLOYED: Thu Jan 25 08:52:16 2024
      NAMESPACE: ejbca-cert-manager
      STATUS: deployed
      REVISION: 1
      TEST SUITE: None
  8. Create a namespace for issuing certificates with the EJBCA cert-manager external issuer:

    BASH
    $ kubectl create namespace pkirules
    • The output is similar to the following:

      BASH
      namespace/pkirules created
  9. Create the issuer.yaml file:

    BASH
    cat > issuer.yaml <<EOF 
    apiVersion: ejbca-issuer.keyfactor.com/v1alpha1
    kind: Issuer
    metadata:
      namespace: pkirules
      labels:
        # Customize to to your deployment, but these are optional
        app.kubernetes.io/name: issuer
        app.kubernetes.io/instance: pkirules-tls
        app.kubernetes.io/part-of: ejbca-issuer
        app.kubernetes.io/created-by: ejbca-issuer
      name: pkirules-tls
    spec:
      hostname: "ejbca-internal.ejbca-k8s"
      ejbcaSecretName: "ejbca-secret"
      certificateAuthorityName: "MyPKISubCA-G1"
      certificateProfileName: "TLS Server Profile"
      endEntityProfileName: "TLS Server Profile"
      caBundleSecretName: ejbca-ca-secret 
    EOF
  10. Apply the issuer.yaml file to create an issuer in the pkirules namespace:

    CODE
    $ kubectl apply -f issuer.yaml
    • The output is similar to the following:

      BASH
      issuer.ejbca-issuer.keyfactor.com/pkirules-tls created
  11. Create the clusterissuer.yaml file:

    BASH
    $ cat > clusterissuer.yaml <<EOF
    apiVersion: ejbca-issuer.keyfactor.com/v1alpha1
    kind: ClusterIssuer
    metadata:
      namespace: pkirules 
      labels:
        # Customize to to your deployment, but these are optional
        app.kubernetes.io/name: clusterissuer
        app.kubernetes.io/instance: clusterissuer-pkirules
        app.kubernetes.io/part-of: ejbca-issuer
        app.kubernetes.io/created-by: ejbca-issuer
      name: clusterissuer-pkirules
    spec:
      hostname: "ejbca-internal.ejbca-k8s"
      ejbcaSecretName: "ejbca-secret"
      certificateAuthorityName: "MyPKISubCA-G1"
      certificateProfileName: "TLS Server Profile"
      endEntityProfileName: "TLS Server Profile"
      caBundleSecretName: ejbca-ca-secret
    EOF
    
  12. Apply the clusterissuer.yaml to create an issuer that uses EJBCA fro the Kubernetes cluster:

    BASH
    $ kubectl apply -f clusterissuer.yaml
    • The output is similar to the following:

      BASH
      clusterissuer.ejbca-issuer.keyfactor.com/clusterissuer-pkirules created
  13. Get the issuers.ejbca-issuer.keyfactor.com:

    BASH
    $ kubectl -n pkirules get issuers.ejbca-issuer.keyfactor.com
    • The output is similar to the following:

      BASH
      NAME           AGE
      pkirules-tls   1m
  14. Describe the issuers.ejbca-issuer.keyfactor.com:

    BASH
    $ kubectl -n pkirules describe issuers.ejbca-issuer.keyfactor.com
    • The output is similar to the following:

      BASH
      Name:         pkirules-tls
      Namespace:    pkirules
      Labels:       app.kubernetes.io/created-by=ejbca-issuer
                    app.kubernetes.io/instance=pkirules-tls
                    app.kubernetes.io/name=issuer
                    app.kubernetes.io/part-of=ejbca-issuer
      Annotations:  <none>
      API Version:  ejbca-issuer.keyfactor.com/v1alpha1
      Kind:         Issuer
      Metadata:
        Creation Timestamp:  2024-01-25T14:02:01Z
        Generation:          1
        Managed Fields:
          API Version:  ejbca-issuer.keyfactor.com/v1alpha1
          Fields Type:  FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .:
                f:kubectl.kubernetes.io/last-applied-configuration:
              f:labels:
                .:
                f:app.kubernetes.io/created-by:
                f:app.kubernetes.io/instance:
                f:app.kubernetes.io/name:
                f:app.kubernetes.io/part-of:
            f:spec:
              .:
              f:caBundleSecretName:
              f:certificateAuthorityName:
              f:certificateProfileName:
              f:ejbcaSecretName:
              f:endEntityProfileName:
              f:hostname:
          Manager:      kubectl-client-side-apply
          Operation:    Update
          Time:         2024-01-25T14:02:01Z
          API Version:  ejbca-issuer.keyfactor.com/v1alpha1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              .:
              f:conditions:
          Manager:         manager
          Operation:       Update
          Subresource:     status
          Time:            2024-01-25T14:02:01Z
        Resource Version:  601159
        UID:               2f35a08b-c2f7-4612-b5be-bafd6bfaa2ad
      Spec:
        Ca Bundle Secret Name:       ejbca-ca-secret
        Certificate Authority Name:  MyPKISubCA-G1
        Certificate Profile Name:    TLS Server Profile
        Ejbca Secret Name:           ejbca-secret
        End Entity Profile Name:     TLS Server Profile
        Hostname:                    ejbca-internal.ejbca-k8s
      Status:
        Conditions:
          Last Transition Time:  2024-01-25T14:02:01Z
          Message:               Success
          Reason:                ejbca-issuer.IssuerController.Reconcile
          Status:                True
          Type:                  Ready
      Events:                    <none>

You now have deployed the EJBCA cert-manager external issuer and can continue with issuing certificates.

Step 5 - Issue certificates with the EJBCA cert-manager external issuer

Now that cert-manager and the EJBCA cert-manager external issuer are deployed and configured, you can issue some certificates. Lets explore issuing a certificate manually, using a certificate object, and deploying a simple deployment that will request a certificate for an ingress.

Manual Issuance

  1. Continue from the terminal window of the previous step.

  2. Create an OpenSSL configuration file to generate TLS certificate CSR:

    CODE
    $ cat > test-cm-01.pkirules.conf <<EOF
    [ req ]
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    prompt = no
    
    [ req_distinguished_name ]
    countryName = SE
    organizationName = Keyfactor Community
    commonName = test-cm-01.pkirules
     
    [ req_ext ]
    subjectAltName = @alt_names
     
    [alt_names]
    DNS.1 = test-cm.pkirules
    
    EOF
  3. Generate an EC P-256 key using OpenSSL:

    BASH
    $ openssl ecparam -name prime256v1 -genkey -noout -out test-cm-01.pkirules.key
  4. Generate a CSR with the EC Key and OpenSSL configuration file:

    BASH
    $ openssl req -new -sha256 -key test-cm-01.pkirules.key -out test-cm-01.pkirules.csr -config test-cm-01.pkirules.conf
  5. Use base64 to encode the CSR and export it to a variable:

    BASH
    $ CSR64ECODE="$(base64 test-cm-01.pkirules.csr | tr -d \\n)"
  6. Create a certificate request YAML file that is used to manually request a certificate with cert-manager:

    BASH
    $ cat > test-cm-01.pkirules.yaml <<EOF
    apiVersion: cert-manager.io/v1
    kind: CertificateRequest
    metadata:
      name: test-cm-01.pkirules
      namespace: pkirules
    spec:
      request: $CSR64ECODE
      issuerRef:
        name: pkirules-tls
        group: ejbca-issuer.keyfactor.com
        kind: Issuer
    EOF
  7. Apply the test-cm-01.pkirules.yaml file which creates the certificate request with cert-manager:

    BASH
    $ kubectl apply -f test-cm-01.pkirules.yaml
    • The output is similar to the following:

      BASH
      certificaterequest.cert-manager.io/test-cm-01.pkirules created
  8. List the certificate requests in the pkirules namespace:

    BASH
    $ kubectl -n pkirules get CertificateRequest
    • The output is similar to the following:

      BASH
      NAME                  APPROVED   DENIED   READY   ISSUER         REQUESTOR   AGE
      test-cm-01.pkirules   True                True    pkirules-tls   admin       2m18s
  9. Describe the test-cm-01.pkirules certificate request to review the details:

    BASH
    $ kubectl -n pkirules describe CertificateRequest/test-cm-01.pkirules
    • The output is similar to the following:

      BASH
      Name:         test-cm-01.pkirules
      Namespace:    pkirules
      Labels:       <none>
      Annotations:  <none>
      API Version:  cert-manager.io/v1
      Kind:         CertificateRequest
      Metadata:
        Creation Timestamp:  2024-01-26T10:29:46Z
        Generation:          1
        Managed Fields:
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              f:conditions:
                .:
                k:{"type":"Approved"}:
                  .:
                  f:lastTransitionTime:
                  f:message:
                  f:reason:
                  f:status:
                  f:type:
          Manager:      cert-manager-certificaterequests-approver
          Operation:    Update
          Subresource:  status
          Time:         2024-01-26T10:29:46Z
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .:
                f:kubectl.kubernetes.io/last-applied-configuration:
            f:spec:
              .:
              f:issuerRef:
                .:
                f:group:
                f:kind:
                f:name:
              f:request:
          Manager:      kubectl-client-side-apply
          Operation:    Update
          Time:         2024-01-26T10:29:46Z
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              .:
              f:ca:
              f:certificate:
              f:conditions:
                k:{"type":"Ready"}:
                  .:
                  f:lastTransitionTime:
                  f:message:
                  f:reason:
                  f:status:
                  f:type:
          Manager:         manager
          Operation:       Update
          Subresource:     status
          Time:            2024-01-26T10:29:46Z
        Resource Version:  649945
        UID:               3d8fffb0-6876-4541-8df2-c8a8ab17ed19
      Spec:
        Groups:
          system:masters
          system:authenticated
        Issuer Ref:
          Group:   ejbca-issuer.keyfactor.com
          Kind:    Issuer
          Name:    pkirules-tls
        Request:   LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQk1qQ0IyUUlCQURCSk1Rc3dDUVlEVlFRR0V3SlRSVEVjTUJvR0ExVUVDZ3dUUzJWNVptRmpkRzl5SUVOdgpiVzExYm1sMGVURWNNQm9HQTFVRUF3d1RkR1Z6ZEMxamJTMHdNUzV3YTJseWRXeGxjekJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQk5Va29xeHB3MGR5ZEQyWVdHSGN2UUNqS21ZbzdBZnVYK2NZeGpqWW5MZnEKVXpHZzkvTkxYM2VRRVlDd2pNTlQ4djNycVd2a2JmNFNmUWlJV29GSFoxMmdMakFzQmdrcWhraUc5dzBCQ1E0eApIekFkTUJzR0ExVWRFUVFVTUJLQ0VIUmxjM1F0WTIwdWNHdHBjblZzWlhNd0NnWUlLb1pJemowRUF3SURTQUF3ClJRSWdKQjArdCtySmZvNVRVYWVCcnFCU1RUYlZnTGVEeTh3Lzd1bFpNanJtTldnQ0lRRFdpNDJPcURHVVBqOHkKK3RWZmxXWTVWUWEreUQ4T1JURDZKMDZ5NHlKRWZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
        UID:       admin
        Username:  admin
      Status:
        Ca:           LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNtVENDQWorZ0F3SUJBZ0lVSjBlTDlJbmxubWNDRWpxT3pPTmZOdFZ2QVRFd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdIaGNOTWpNd01USXpNVFl5TkRRMVdoY05Nemd3Ck1URTVNVFl5TkRRMFdqQklNUXN3Q1FZRFZRUUdFd0pUUlRFY01Cb0dBMVVFQ2d3VFMyVjVabUZqZEc5eUlFTnYKYlcxMWJtbDBlVEViTUJrR0ExVUVBd3dTVFhrZ1VFdEpJRk4xWWlCRFFTQXRJRWN4TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTZqUVhWWk9ha2JQNjFtdG5WVXcvVVl2RzNmQXhRdERBTjZqY0l6bzJLVXpqCmNaSzJkQ3BZUWhpZWdzQ0NLa20xYUhKYXlRNVFTb3hDcVFhUjUyYjZWYU9DQVFRd2dnRUFNQklHQTFVZEV3RUIKL3dRSU1BWUJBZjhDQVFBd0h3WURWUjBqQkJnd0ZvQVUxYzZkYUpDOWlJUzhQNzVlUTZybzB5UjRCNVV3WWdZSQpLd1lCQlFVSEFRRUVWakJVTURJR0NDc0dBUVVGQnpBQ2hpWm9kSFJ3T2k4dmJYa3VjR3RwTDJObGNuUnpMMDE1ClVFdEpVbTl2ZEVOQkxVY3hMbU55ZERBZUJnZ3JCZ0VGQlFjd0FZWVNhSFIwY0RvdkwyMTVMbkJyYVM5dlkzTncKTURZR0ExVWRId1F2TUMwd0s2QXBvQ2VHSldoMGRIQTZMeTl0ZVM1d2Eya3ZZM0pzY3k5TmVWQkxTVkp2YjNSRApRUzFITVM1amNtd3dIUVlEVlIwT0JCWUVGTERsZjNaMDRpcTR1UGhZWlRQZ1lxSEtwRlB0TUE0R0ExVWREd0VCCi93UUVBd0lCaGpBS0JnZ3Foa2pPUFFRREJBTklBREJGQWlBWGN5VjdOdW1PU0RCMDVmeFBqMnRlR3RSWm1vMi8KMklIb0duY3MrNStyaVFJaEFPUEpyZEpTdTYzbFFxRXJwdks2cm1adkxobnE4ZXFHYkF6ekx0WVVseXVWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIyRENDQVg2Z0F3SUJBZ0lVQXV1TDFjL0FvRndzZnhnVXJPdmFSWGxkT1drd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdJQmNOTWpNd01USXpNVFl4T0RVNFdoZ1BNakExCk16QXhNVFV4TmpFNE5UZGFNRWt4Q3pBSkJnTlZCQVlUQWxORk1Sd3dHZ1lEVlFRS0RCTkxaWGxtWVdOMGIzSWcKUTI5dGJYVnVhWFI1TVJ3d0dnWURWUVFEREJOTmVTQlFTMGtnVW05dmRDQkRRU0F0SUVjeE1Ga3dFd1lIS29aSQp6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJTUw3a05LR0NqaktmeHd5Qi9zNHF0cEZnMi9hT1ZDZUFCeUVlRE1XCmR6SFlMTU9pZDQ5MDFaUFA1ak1HZ2hxODQreXp6TDV2Q1VYVEtCNDR6SmxVOXFOQ01FQXdEd1lEVlIwVEFRSC8KQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMWM2ZGFKQzlpSVM4UDc1ZVE2cm8weVI0QjVVd0RnWURWUjBQQVFILwpCQVFEQWdHR01Bb0dDQ3FHU000OUJBTUVBMGdBTUVVQ0lRQ2lGTi9vKytaK0FYa1ZVbk0yTTQydm1WVitLUGZMCnZka1JhT0g3RklJTEV3SWdFejBST1BQcFpBMlhGU2ExZG9ma0FZMWg1aUFid2c2Vk9hSTNLZm9hYlZBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        Certificate:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQW5DZ0F3SUJBZ0lVWStUTkNXdHRLc0RmcXREL0ZpZS9aRSsvYzQ4d0NnWUlLb1pJemowRUF3UXcKU0RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4R3pBWgpCZ05WQkFNTUVrMTVJRkJMU1NCVGRXSWdRMEVnTFNCSE1UQWVGdzB5TkRBeE1qWXhNREU1TkRaYUZ3MHlOVEF4Ck1qTXhNREU1TkRWYU1Fa3hDekFKQmdOVkJBWVRBbE5GTVJ3d0dnWURWUVFLREJOTFpYbG1ZV04wYjNJZ1EyOXQKYlhWdWFYUjVNUnd3R2dZRFZRUUREQk4wWlhOMExXTnRMVEF4TG5CcmFYSjFiR1Z6TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTFTU2lyR25EUjNKMFBaaFlZZHk5QUtNcVppanNCKzVmNXhqR09OaWN0K3BUCk1hRDM4MHRmZDVBUmdMQ013MVB5L2V1cGErUnQvaEo5Q0loYWdVZG5YYU9DQVRVd2dnRXhNQjhHQTFVZEl3UVkKTUJhQUZMRGxmM1owNGlxNHVQaFlaVFBnWXFIS3BGUHRNR0VHQ0NzR0FRVUZCd0VCQkZVd1V6QXhCZ2dyQmdFRgpCUWN3QW9ZbGFIUjBjRG92TDIxNUxuQnJhUzlqWlhKMGN5OU5lVkJMU1ZOMVlrTkJMVWN4TG1OeWREQWVCZ2dyCkJnRUZCUWN3QVlZU2FIUjBjRG92TDIxNUxuQnJhUzl2WTNOd01EQUdBMVVkRVFRcE1DZUNFSFJsYzNRdFkyMHUKY0d0cGNuVnNaWE9DRTNSbGMzUXRZMjB0TURFdWNHdHBjblZzWlhNd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSApBd0V3TlFZRFZSMGZCQzR3TERBcW9DaWdKb1lrYUhSMGNEb3ZMMjE1TG5CcmFTOWpjbXh6TDAxNVVFdEpVM1ZpClEwRXRSekV1WTNKc01CMEdBMVVkRGdRV0JCVFQ4YTJEUTEwSGZCenhPc05LS3J1NVBGYU5LekFPQmdOVkhROEIKQWY4RUJBTUNCYUF3Q2dZSUtvWkl6ajBFQXdRRFNBQXdSUUlnVGhtdTdsTUFZM092Nnk3SmloWmdHMTZRNzYvdgpzVVlGanlYT1NiVEFUZVFDSVFEK2ZRbldlSWRXeVlhYU1HdElhMnVJbURFTE1PeWN1eFZKRVd3YXYvZ3hTQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
        Conditions:
          Last Transition Time:  2024-01-26T10:29:46Z
          Message:               Certificate request has been approved by cert-manager.io
          Reason:                cert-manager.io
          Status:                True
          Type:                  Approved
          Last Transition Time:  2024-01-26T10:29:46Z
          Message:               Signed
          Reason:                Issued
          Status:                True
          Type:                  Ready
      Events:
        Type    Reason           Age    From                                       Message
        ----    ------           ----   ----                                       -------
        Normal  cert-manager.io  3m57s  cert-manager-certificaterequests-approver  Certificate request has been approved by cert-manager.io
  10. The certificate can be obtained from the output and decoded with base64 to view:

    BASH
    $ echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQW5DZ0F3SUJBZ0lVWStUTkNXdHRLc0RmcXREL0ZpZS9aRSsvYzQ4d0NnWUlLb1pJemowRUF3UXcKU0RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4R3pBWgpCZ05WQkFNTUVrMTVJRkJMU1NCVGRXSWdRMEVnTFNCSE1UQWVGdzB5TkRBeE1qWXhNREU1TkRaYUZ3MHlOVEF4Ck1qTXhNREU1TkRWYU1Fa3hDekFKQmdOVkJBWVRBbE5GTVJ3d0dnWURWUVFLREJOTFpYbG1ZV04wYjNJZ1EyOXQKYlhWdWFYUjVNUnd3R2dZRFZRUUREQk4wWlhOMExXTnRMVEF4TG5CcmFYSjFiR1Z6TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTFTU2lyR25EUjNKMFBaaFlZZHk5QUtNcVppanNCKzVmNXhqR09OaWN0K3BUCk1hRDM4MHRmZDVBUmdMQ013MVB5L2V1cGErUnQvaEo5Q0loYWdVZG5YYU9DQVRVd2dnRXhNQjhHQTFVZEl3UVkKTUJhQUZMRGxmM1owNGlxNHVQaFlaVFBnWXFIS3BGUHRNR0VHQ0NzR0FRVUZCd0VCQkZVd1V6QXhCZ2dyQmdFRgpCUWN3QW9ZbGFIUjBjRG92TDIxNUxuQnJhUzlqWlhKMGN5OU5lVkJMU1ZOMVlrTkJMVWN4TG1OeWREQWVCZ2dyCkJnRUZCUWN3QVlZU2FIUjBjRG92TDIxNUxuQnJhUzl2WTNOd01EQUdBMVVkRVFRcE1DZUNFSFJsYzNRdFkyMHUKY0d0cGNuVnNaWE9DRTNSbGMzUXRZMjB0TURFdWNHdHBjblZzWlhNd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSApBd0V3TlFZRFZSMGZCQzR3TERBcW9DaWdKb1lrYUhSMGNEb3ZMMjE1TG5CcmFTOWpjbXh6TDAxNVVFdEpVM1ZpClEwRXRSekV1WTNKc01CMEdBMVVkRGdRV0JCVFQ4YTJEUTEwSGZCenhPc05LS3J1NVBGYU5LekFPQmdOVkhROEIKQWY4RUJBTUNCYUF3Q2dZSUtvWkl6ajBFQXdRRFNBQXdSUUlnVGhtdTdsTUFZM092Nnk3SmloWmdHMTZRNzYvdgpzVVlGanlYT1NiVEFUZVFDSVFEK2ZRbldlSWRXeVlhYU1HdElhMnVJbURFTE1PeWN1eFZKRVd3YXYvZ3hTQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" | base64 -d
    • The output is similar to the following:

      BASH
      -----BEGIN CERTIFICATE-----
      MIICyjCCAnCgAwIBAgIUY+TNCWttKsDfqtD/Fie/ZE+/c48wCgYIKoZIzj0EAwQw
      SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ
      BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yNDAxMjYxMDE5NDZaFw0yNTAx
      MjMxMDE5NDVaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t
      bXVuaXR5MRwwGgYDVQQDDBN0ZXN0LWNtLTAxLnBraXJ1bGVzMFkwEwYHKoZIzj0C
      AQYIKoZIzj0DAQcDQgAE1SSirGnDR3J0PZhYYdy9AKMqZijsB+5f5xjGONict+pT
      MaD380tfd5ARgLCMw1Py/eupa+Rt/hJ9CIhagUdnXaOCATUwggExMB8GA1UdIwQY
      MBaAFLDlf3Z04iq4uPhYZTPgYqHKpFPtMGEGCCsGAQUFBwEBBFUwUzAxBggrBgEF
      BQcwAoYlaHR0cDovL215LnBraS9jZXJ0cy9NeVBLSVN1YkNBLUcxLmNydDAeBggr
      BgEFBQcwAYYSaHR0cDovL215LnBraS9vY3NwMDAGA1UdEQQpMCeCEHRlc3QtY20u
      cGtpcnVsZXOCE3Rlc3QtY20tMDEucGtpcnVsZXMwEwYDVR0lBAwwCgYIKwYBBQUH
      AwEwNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3Vi
      Q0EtRzEuY3JsMB0GA1UdDgQWBBTT8a2DQ10HfBzxOsNKKru5PFaNKzAOBgNVHQ8B
      Af8EBAMCBaAwCgYIKoZIzj0EAwQDSAAwRQIgThmu7lMAY3Ov6y7JihZgG16Q76/v
      sUYFjyXOSbTATeQCIQD+fQnWeIdWyYaaMGtIa2uImDELMOycuxVJEWwav/gxSA==
      -----END CERTIFICATE-----
  11. The certificate is ready to use from the manual request.

Certificate Kind Object Request

  1. Create the test-cm-02.pkirules.yaml file to create a certificate with the certificate kind object:

    BASH
    $ cat > test-cm-02.pkirules.yaml <<EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: test-cm-02.pkirules
      namespace: pkirules
    spec:
      subject:
        countries:
          - SE
        organizations:
          - Keyfactor Community
      commonName: test-cm-02.pkirules
      #dnsNames:
        #- test-cm-02.pkirules
      privateKey:
        algorithm: ECDSA
        size: 256
      secretName: test-cm-02
      issuerRef:
        name: pkirules-tls
        group: ejbca-issuer.keyfactor.com
        kind: Issuer
    EOF
  2. Apply the test-cm-02.pkirules.yaml file which enrolls for a certificate with cert-manager and creates a secret for the private key:

    BASH
    $ kubectl apply -f test-cm-02.pkirules.yaml
    • The output is similar to the following:

      BASH
      certificate.cert-manager.io/test-cm-02.pkirules created
  3. List the certificate requests:

    BASH
    $ kubectl -n pkirules get CertificateRequest
    • The output is similar to the following:

      BASH
      NAME                    APPROVED   DENIED   READY   ISSUER         REQUESTOR                                         AGE
      test-cm-01.pkirules     True                True    pkirules-tls   admin                                             68m
      test-cm-02.pkirules-1   True                True    pkirules-tls   system:serviceaccount:cert-manager:cert-manager   4m36s
  4. Describe the test-cm-02.pkirules-1 certificate request:

    BASH
    $ kubectl -n pkirules describe CertificateRequest test-cm-02.pkirules-1
    • The output is similar to the following:

      BASH
      Name:         test-cm-02.pkirules-1
      Namespace:    pkirules
      Labels:       <none>
      Annotations:  cert-manager.io/certificate-name: test-cm-02.pkirules
                    cert-manager.io/certificate-revision: 1
                    cert-manager.io/private-key-secret-name: test-cm-02.pkirules-qkncz
      API Version:  cert-manager.io/v1
      Kind:         CertificateRequest
      Metadata:
        Creation Timestamp:  2024-01-26T11:33:44Z
        Generation:          1
        Managed Fields:
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              f:conditions:
                .:
                k:{"type":"Approved"}:
                  .:
                  f:lastTransitionTime:
                  f:message:
                  f:reason:
                  f:status:
                  f:type:
          Manager:      cert-manager-certificaterequests-approver
          Operation:    Update
          Subresource:  status
          Time:         2024-01-26T11:33:44Z
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .:
                f:cert-manager.io/certificate-name:
                f:cert-manager.io/certificate-revision:
                f:cert-manager.io/private-key-secret-name:
              f:ownerReferences:
                .:
                k:{"uid":"9298479a-3cc1-4370-9146-a1c361007c4a"}:
            f:spec:
              .:
              f:issuerRef:
                .:
                f:group:
                f:kind:
                f:name:
              f:request:
          Manager:      cert-manager-certificates-request-manager
          Operation:    Update
          Time:         2024-01-26T11:33:44Z
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              .:
              f:ca:
              f:certificate:
              f:conditions:
                k:{"type":"Ready"}:
                  .:
                  f:lastTransitionTime:
                  f:message:
                  f:reason:
                  f:status:
                  f:type:
          Manager:      manager
          Operation:    Update
          Subresource:  status
          Time:         2024-01-26T11:33:44Z
        Owner References:
          API Version:           cert-manager.io/v1
          Block Owner Deletion:  true
          Controller:            true
          Kind:                  Certificate
          Name:                  test-cm-02.pkirules
          UID:                   9298479a-3cc1-4370-9146-a1c361007c4a
        Resource Version:        662225
        UID:                     8e9a8b60-07fa-4573-b1fe-23f3e67e2c39
      Spec:
        Extra:
          authentication.kubernetes.io/pod-name:
            cert-manager-55cf8685cb-tztzk
          authentication.kubernetes.io/pod-uid:
            6c69ccc4-46d3-45fd-a942-ec0df90a7ecc
        Groups:
          system:serviceaccounts
          system:serviceaccounts:cert-manager
          system:authenticated
        Issuer Ref:
          Group:   ejbca-issuer.keyfactor.com
          Kind:    Issuer
          Name:    pkirules-tls
        Request:   LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQklUQ0J5UUlCQURCSk1Rc3dDUVlEVlFRR0V3SlRSVEVjTUJvR0ExVUVDaE1UUzJWNVptRmpkRzl5SUVOdgpiVzExYm1sMGVURWNNQm9HQTFVRUF4TVRkR1Z6ZEMxamJTMHdNaTV3YTJseWRXeGxjekJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQkdQWXFsU3hhM0xIUUhCYW9aMkVKNnVxcnNPb2xrQjV1UnBReHJPZzc1SDAKdEUzR3UvNFd5YW9jTVRqTWtPQlBjOGsxcUI0Wm52anozWFREeU5ZYmFKaWdIakFjQmdrcWhraUc5dzBCQ1E0eApEekFOTUFzR0ExVWREd1FFQXdJRm9EQUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQjE0ckp4YkRaRlhnc2tDRW42Ci9xN1FvdDF5UncyYWxFWHJ4TEcwc1FLWUN3SWdSeTRidnNtdllWQ0laTVBPd0FKWG9GaW12Zk5HZGJOSXRhb1cKNlJVMGZMRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
        UID:       9ec1c31a-f7af-486c-b881-92d55dd4da1f
        Username:  system:serviceaccount:cert-manager:cert-manager
      Status:
        Ca:           LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNtVENDQWorZ0F3SUJBZ0lVSjBlTDlJbmxubWNDRWpxT3pPTmZOdFZ2QVRFd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdIaGNOTWpNd01USXpNVFl5TkRRMVdoY05Nemd3Ck1URTVNVFl5TkRRMFdqQklNUXN3Q1FZRFZRUUdFd0pUUlRFY01Cb0dBMVVFQ2d3VFMyVjVabUZqZEc5eUlFTnYKYlcxMWJtbDBlVEViTUJrR0ExVUVBd3dTVFhrZ1VFdEpJRk4xWWlCRFFTQXRJRWN4TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTZqUVhWWk9ha2JQNjFtdG5WVXcvVVl2RzNmQXhRdERBTjZqY0l6bzJLVXpqCmNaSzJkQ3BZUWhpZWdzQ0NLa20xYUhKYXlRNVFTb3hDcVFhUjUyYjZWYU9DQVFRd2dnRUFNQklHQTFVZEV3RUIKL3dRSU1BWUJBZjhDQVFBd0h3WURWUjBqQkJnd0ZvQVUxYzZkYUpDOWlJUzhQNzVlUTZybzB5UjRCNVV3WWdZSQpLd1lCQlFVSEFRRUVWakJVTURJR0NDc0dBUVVGQnpBQ2hpWm9kSFJ3T2k4dmJYa3VjR3RwTDJObGNuUnpMMDE1ClVFdEpVbTl2ZEVOQkxVY3hMbU55ZERBZUJnZ3JCZ0VGQlFjd0FZWVNhSFIwY0RvdkwyMTVMbkJyYVM5dlkzTncKTURZR0ExVWRId1F2TUMwd0s2QXBvQ2VHSldoMGRIQTZMeTl0ZVM1d2Eya3ZZM0pzY3k5TmVWQkxTVkp2YjNSRApRUzFITVM1amNtd3dIUVlEVlIwT0JCWUVGTERsZjNaMDRpcTR1UGhZWlRQZ1lxSEtwRlB0TUE0R0ExVWREd0VCCi93UUVBd0lCaGpBS0JnZ3Foa2pPUFFRREJBTklBREJGQWlBWGN5VjdOdW1PU0RCMDVmeFBqMnRlR3RSWm1vMi8KMklIb0duY3MrNStyaVFJaEFPUEpyZEpTdTYzbFFxRXJwdks2cm1adkxobnE4ZXFHYkF6ekx0WVVseXVWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIyRENDQVg2Z0F3SUJBZ0lVQXV1TDFjL0FvRndzZnhnVXJPdmFSWGxkT1drd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdJQmNOTWpNd01USXpNVFl4T0RVNFdoZ1BNakExCk16QXhNVFV4TmpFNE5UZGFNRWt4Q3pBSkJnTlZCQVlUQWxORk1Sd3dHZ1lEVlFRS0RCTkxaWGxtWVdOMGIzSWcKUTI5dGJYVnVhWFI1TVJ3d0dnWURWUVFEREJOTmVTQlFTMGtnVW05dmRDQkRRU0F0SUVjeE1Ga3dFd1lIS29aSQp6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJTUw3a05LR0NqaktmeHd5Qi9zNHF0cEZnMi9hT1ZDZUFCeUVlRE1XCmR6SFlMTU9pZDQ5MDFaUFA1ak1HZ2hxODQreXp6TDV2Q1VYVEtCNDR6SmxVOXFOQ01FQXdEd1lEVlIwVEFRSC8KQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMWM2ZGFKQzlpSVM4UDc1ZVE2cm8weVI0QjVVd0RnWURWUjBQQVFILwpCQVFEQWdHR01Bb0dDQ3FHU000OUJBTUVBMGdBTUVVQ0lRQ2lGTi9vKytaK0FYa1ZVbk0yTTQydm1WVitLUGZMCnZka1JhT0g3RklJTEV3SWdFejBST1BQcFpBMlhGU2ExZG9ma0FZMWg1aUFid2c2Vk9hSTNLZm9hYlZBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        Certificate:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1RENDQWw2Z0F3SUJBZ0lVUGJYV3I5b1VIVUNzamtsZXBkY3Bva0s5V2JBd0NnWUlLb1pJemowRUF3UXcKU0RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4R3pBWgpCZ05WQkFNTUVrMTVJRkJMU1NCVGRXSWdRMEVnTFNCSE1UQWVGdzB5TkRBeE1qWXhNVEl6TkRSYUZ3MHlOVEF4Ck1qTXhNVEl6TkROYU1Fa3hDekFKQmdOVkJBWVRBbE5GTVJ3d0dnWURWUVFLREJOTFpYbG1ZV04wYjNJZ1EyOXQKYlhWdWFYUjVNUnd3R2dZRFZRUUREQk4wWlhOMExXTnRMVEF5TG5CcmFYSjFiR1Z6TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRVk5aXFWTEZyY3NkQWNGcWhuWVFucTZxdXc2aVdRSG01R2xER3M2RHZrZlMwClRjYTcvaGJKcWh3eE9NeVE0RTl6eVRXb0hobWUrUFBkZE1QSTFodG9tS09DQVNNd2dnRWZNQjhHQTFVZEl3UVkKTUJhQUZMRGxmM1owNGlxNHVQaFlaVFBnWXFIS3BGUHRNR0VHQ0NzR0FRVUZCd0VCQkZVd1V6QXhCZ2dyQmdFRgpCUWN3QW9ZbGFIUjBjRG92TDIxNUxuQnJhUzlqWlhKMGN5OU5lVkJMU1ZOMVlrTkJMVWN4TG1OeWREQWVCZ2dyCkJnRUZCUWN3QVlZU2FIUjBjRG92TDIxNUxuQnJhUzl2WTNOd01CNEdBMVVkRVFRWE1CV0NFM1JsYzNRdFkyMHQKTURJdWNHdHBjblZzWlhNd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3RXdOUVlEVlIwZkJDNHdMREFxb0NpZwpKb1lrYUhSMGNEb3ZMMjE1TG5CcmFTOWpjbXh6TDAxNVVFdEpVM1ZpUTBFdFJ6RXVZM0pzTUIwR0ExVWREZ1FXCkJCUmJDNDJRV2dBNGdwWTdBeU9HU1k2eTJOakpPakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdDZ1lJS29aSXpqMEUKQXdRRFNBQXdSUUloQU9tZWNCejN3YnVxU2psei9PZlNsdDJhOXMzOTMvV05oc2pWOEJ1akRoSE5BaUJ2Y0owNQorWk45UWRmNFEzbDFRY3hmakRnWW1IeWl4SElmci91dlBHbk9Ddz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
        Conditions:
          Last Transition Time:  2024-01-26T11:33:44Z
          Message:               Certificate request has been approved by cert-manager.io
          Reason:                cert-manager.io
          Status:                True
          Type:                  Approved
          Last Transition Time:  2024-01-26T11:33:44Z
          Message:               Signed
          Reason:                Issued
          Status:                True
          Type:                  Ready
      Events:                    <none>
  5. List the certificates created:

    BASH
    $ kubectl -n pkirules get certificate
    • The output is similar to the following:

      BASH
      NAME                  READY   SECRET       AGE
      test-cm-02.pkirules   True    test-cm-02   9m51s
  6. Describe the test-cm-02.pkirules certificate:

    BASH
    $ kubectl -n pkirules describe certificate test-cm-02.pkirules
    • The output is similar to the following:

      BASH
      Name:         test-cm-02.pkirules
      Namespace:    pkirules
      Labels:       <none>
      Annotations:  <none>
      API Version:  cert-manager.io/v1
      Kind:         Certificate
      Metadata:
        Creation Timestamp:  2024-01-26T11:33:44Z
        Generation:          1
        Managed Fields:
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              f:revision:
          Manager:      cert-manager-certificates-issuing
          Operation:    Update
          Subresource:  status
          Time:         2024-01-26T11:33:44Z
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              .:
              f:conditions:
                .:
                k:{"type":"Ready"}:
                  .:
                  f:lastTransitionTime:
                  f:message:
                  f:observedGeneration:
                  f:reason:
                  f:status:
                  f:type:
              f:notAfter:
              f:notBefore:
              f:renewalTime:
          Manager:      cert-manager-certificates-readiness
          Operation:    Update
          Subresource:  status
          Time:         2024-01-26T11:33:44Z
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .:
                f:kubectl.kubernetes.io/last-applied-configuration:
            f:spec:
              .:
              f:commonName:
              f:issuerRef:
                .:
                f:group:
                f:kind:
                f:name:
              f:privateKey:
                .:
                f:algorithm:
                f:size:
              f:secretName:
              f:subject:
                .:
                f:countries:
                f:organizations:
          Manager:         kubectl-client-side-apply
          Operation:       Update
          Time:            2024-01-26T11:33:44Z
        Resource Version:  662231
        UID:               9298479a-3cc1-4370-9146-a1c361007c4a
      Spec:
        Common Name:  test-cm-02.pkirules
        Issuer Ref:
          Group:  ejbca-issuer.keyfactor.com
          Kind:   Issuer
          Name:   pkirules-tls
        Private Key:
          Algorithm:  ECDSA
          Size:       256
        Secret Name:  test-cm-02
        Subject:
          Countries:
            SE
          Organizations:
            Keyfactor Community
      Status:
        Conditions:
          Last Transition Time:  2024-01-26T11:33:44Z
          Message:               Certificate is up to date and has not expired
          Observed Generation:   1
          Reason:                Ready
          Status:                True
          Type:                  Ready
        Not After:               2025-01-23T11:23:43Z
        Not Before:              2024-01-26T11:23:44Z
        Renewal Time:            2024-09-24T11:23:43Z
        Revision:                1
      Events:                    <none>
  7. List the secrets:

    BASH
    $ kubectl -n pkirules get secrets
    • The output is similar to the following:

      BASH
      NAME         TYPE                DATA   AGE
      test-cm-02   kubernetes.io/tls   3      13m
  8. Describe the test-cm-02 secret:

    BASH
    $ kubectl -n pkirules describe secrets test-cm-02
    • The output is similar to the following:

      BASH
      Name:         test-cm-02
      Namespace:    pkirules
      Labels:       controller.cert-manager.io/fao=true
      Annotations:  cert-manager.io/alt-names: test-cm-02.pkirules
                    cert-manager.io/certificate-name: test-cm-02.pkirules
                    cert-manager.io/common-name: test-cm-02.pkirules
                    cert-manager.io/ip-sans:
                    cert-manager.io/issuer-group: ejbca-issuer.keyfactor.com
                    cert-manager.io/issuer-kind: Issuer
                    cert-manager.io/issuer-name: pkirules-tls
                    cert-manager.io/subject-countries: SE
                    cert-manager.io/subject-organizations: Keyfactor Community
                    cert-manager.io/uri-sans:
      
      Type:  kubernetes.io/tls
      
      Data
      ====
      ca.crt:   1660 bytes
      tls.crt:  1005 bytes
      tls.key:  227 bytes
  9. The certificate can now be used, for example by mounting the secret into a container

Request Certificate for Ingress Using a Simple Deployment

  1. Create the simple deployment YAML file to deploy a container and issue a certificate to ingress:

    BASH
    $ cat > ejbca-cm-issuer-hello-world.yaml <<EOF
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ejbca-cm-issuer-helloworld-one
      namespace: pkirules
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: ejbca-cm-issuer-helloworld-one
      template:
        metadata:
          labels:
            app: ejbca-cm-issuer-helloworld-one
        spec:
          containers:
          - name: ejbca-cm-issuer-helloworld-one
            image: hashicorp/http-echo:latest
            ports:
            - containerPort: 80
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: helloworld
      namespace: pkirules
    spec:
      #type: ClusterIP
      ports:
      - port: 80
        targetPort: 80
        protocol: TCP
      selector:
        app: ejbca-cm-issuer-helloworld-one
    
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: hellowworld-ingress
      namespace: pkirules
      annotations:
        cert-manager.io/issuer: "pkirules-tls"
        cert-manager.io/issuer-kind: "Issuer"
        cert-manager.io/issuer-group: "ejbca-issuer.keyfactor.com"
        cert-manager.io/common-name: "test-cm-03.pkirules"
        cert-manager.io/subject-organizations: "Keyfactor Community"
        cert-manager.io/subject-countries: "SE"
        cert-manager.io/private-key-algorithm: "ECDSA"
        cert-manager.io/private-key-size: "256"
    spec:
      ingressClassName: public
      tls:
      - hosts:
        - test-cm-03.pkirules
        secretName: test-cm-03.pkirules
      rules:
      - host: test-cm-03.pkirules
        http:
          paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: helloworld
                port:
                  number: 80
    EOF
  2. Apply ejbca-cm-issuer-hello-world.yaml file which starts the deployment and requests a certificate for Ingress using cert-manager:

    BASH
    $ kubectl apply -f ejbca-cm-issuer-hello-world.yaml
    • The output is similar to the following:

      BASH
      deployment.apps/ejbca-cm-issuer-helloworld-one created
      ingress.networking.k8s.io/hellowworld-ingress created
  3. List the certificate requests:

    BASH
    $ kubectl -n pkirules get CertificateRequest
    • The output is similar to the following:

      BASH
      NAME                    APPROVED   DENIED   READY   ISSUER         REQUESTOR                                         AGE
      test-cm-01.pkirules     True                True    pkirules-tls   admin                                             177m
      test-cm-02.pkirules-1   True                True    pkirules-tls   system:serviceaccount:cert-manager:cert-manager   113m
      test-cm-03.pkirules-1   True                True    pkirules-tls   system:serviceaccount:cert-manager:cert-manager   65s
  4. Describe the test-cm-03.pkirules-1 certificate request:

    BASH
    $ kubectl -n pkirules describe CertificateRequest test-cm-03.pkirules-1
    • The output is similar to the following:

      BASH
      Name:         test-cm-03.pkirules-1
      Namespace:    pkirules
      Labels:       <none>
      Annotations:  cert-manager.io/certificate-name: test-cm-03.pkirules
                    cert-manager.io/certificate-revision: 1
                    cert-manager.io/private-key-secret-name: test-cm-03.pkirules-fkdg8
      API Version:  cert-manager.io/v1
      Kind:         CertificateRequest
      Metadata:
        Creation Timestamp:  2024-01-26T13:26:35Z
        Generation:          1
        Managed Fields:
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              f:conditions:
                .:
                k:{"type":"Approved"}:
                  .:
                  f:lastTransitionTime:
                  f:message:
                  f:reason:
                  f:status:
                  f:type:
          Manager:      cert-manager-certificaterequests-approver
          Operation:    Update
          Subresource:  status
          Time:         2024-01-26T13:26:35Z
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .:
                f:cert-manager.io/certificate-name:
                f:cert-manager.io/certificate-revision:
                f:cert-manager.io/private-key-secret-name:
              f:ownerReferences:
                .:
                k:{"uid":"9ec95bfc-a645-417c-9634-8e727bdeacf3"}:
            f:spec:
              .:
              f:issuerRef:
                .:
                f:group:
                f:kind:
                f:name:
              f:request:
              f:usages:
          Manager:      cert-manager-certificates-request-manager
          Operation:    Update
          Time:         2024-01-26T13:26:35Z
          API Version:  cert-manager.io/v1
          Fields Type:  FieldsV1
          fieldsV1:
            f:status:
              .:
              f:ca:
              f:certificate:
              f:conditions:
                k:{"type":"Ready"}:
                  .:
                  f:lastTransitionTime:
                  f:message:
                  f:reason:
                  f:status:
                  f:type:
          Manager:      manager
          Operation:    Update
          Subresource:  status
          Time:         2024-01-26T13:26:35Z
        Owner References:
          API Version:           cert-manager.io/v1
          Block Owner Deletion:  true
          Controller:            true
          Kind:                  Certificate
          Name:                  test-cm-03.pkirules
          UID:                   9ec95bfc-a645-417c-9634-8e727bdeacf3
        Resource Version:        683881
        UID:                     347ccb7b-fb8c-4e26-97da-d22739a565cc
      Spec:
        Extra:
          authentication.kubernetes.io/pod-name:
            cert-manager-55cf8685cb-tztzk
          authentication.kubernetes.io/pod-uid:
            6c69ccc4-46d3-45fd-a942-ec0df90a7ecc
        Groups:
          system:serviceaccounts
          system:serviceaccounts:cert-manager
          system:authenticated
        Issuer Ref:
          Group:  ejbca-issuer.keyfactor.com
          Kind:   Issuer
          Name:   pkirules-tls
        Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQlF6Q0I2UUlCQURCSk1Rc3dDUVlEVlFRR0V3SlRSVEVjTUJvR0ExVUVDaE1UUzJWNVptRmpkRzl5SUVOdgpiVzExYm1sMGVURWNNQm9HQTFVRUF4TVRkR1Z6ZEMxamJTMHdNeTV3YTJseWRXeGxjekJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQkNJSVhlaTNnd00zc1cwZ0trOUQyQkV5U3E4NDVET29oRVhwblBWODdBbm8KUFRXeE5qMjlzaUVxN1RqR2lLTlhBUGpzRjBqcU1VNFVQbTJxWHlncmdZK2dQakE4QmdrcWhraUc5dzBCQ1E0eApMekF0TUI0R0ExVWRFUVFYTUJXQ0UzUmxjM1F0WTIwdE1ETXVjR3RwY25Wc1pYTXdDd1lEVlIwUEJBUURBZ1dnCk1Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQ0lRRC9kS0E1VEpyYzZxMHhEUEhGNkJLRmppWjVJSkhWY3FDMnQ5TnAKSjQrcnRnSWhBTGxzNVpROGlJbmtHNjZ1NTNYdnUveVdIYzJDbGpCdFk3bFUvdSt2VVVKaQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
        UID:      9ec1c31a-f7af-486c-b881-92d55dd4da1f
        Usages:
          digital signature
          key encipherment
        Username:  system:serviceaccount:cert-manager:cert-manager
      Status:
        Ca:           LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNtVENDQWorZ0F3SUJBZ0lVSjBlTDlJbmxubWNDRWpxT3pPTmZOdFZ2QVRFd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdIaGNOTWpNd01USXpNVFl5TkRRMVdoY05Nemd3Ck1URTVNVFl5TkRRMFdqQklNUXN3Q1FZRFZRUUdFd0pUUlRFY01Cb0dBMVVFQ2d3VFMyVjVabUZqZEc5eUlFTnYKYlcxMWJtbDBlVEViTUJrR0ExVUVBd3dTVFhrZ1VFdEpJRk4xWWlCRFFTQXRJRWN4TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTZqUVhWWk9ha2JQNjFtdG5WVXcvVVl2RzNmQXhRdERBTjZqY0l6bzJLVXpqCmNaSzJkQ3BZUWhpZWdzQ0NLa20xYUhKYXlRNVFTb3hDcVFhUjUyYjZWYU9DQVFRd2dnRUFNQklHQTFVZEV3RUIKL3dRSU1BWUJBZjhDQVFBd0h3WURWUjBqQkJnd0ZvQVUxYzZkYUpDOWlJUzhQNzVlUTZybzB5UjRCNVV3WWdZSQpLd1lCQlFVSEFRRUVWakJVTURJR0NDc0dBUVVGQnpBQ2hpWm9kSFJ3T2k4dmJYa3VjR3RwTDJObGNuUnpMMDE1ClVFdEpVbTl2ZEVOQkxVY3hMbU55ZERBZUJnZ3JCZ0VGQlFjd0FZWVNhSFIwY0RvdkwyMTVMbkJyYVM5dlkzTncKTURZR0ExVWRId1F2TUMwd0s2QXBvQ2VHSldoMGRIQTZMeTl0ZVM1d2Eya3ZZM0pzY3k5TmVWQkxTVkp2YjNSRApRUzFITVM1amNtd3dIUVlEVlIwT0JCWUVGTERsZjNaMDRpcTR1UGhZWlRQZ1lxSEtwRlB0TUE0R0ExVWREd0VCCi93UUVBd0lCaGpBS0JnZ3Foa2pPUFFRREJBTklBREJGQWlBWGN5VjdOdW1PU0RCMDVmeFBqMnRlR3RSWm1vMi8KMklIb0duY3MrNStyaVFJaEFPUEpyZEpTdTYzbFFxRXJwdks2cm1adkxobnE4ZXFHYkF6ekx0WVVseXVWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIyRENDQVg2Z0F3SUJBZ0lVQXV1TDFjL0FvRndzZnhnVXJPdmFSWGxkT1drd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdJQmNOTWpNd01USXpNVFl4T0RVNFdoZ1BNakExCk16QXhNVFV4TmpFNE5UZGFNRWt4Q3pBSkJnTlZCQVlUQWxORk1Sd3dHZ1lEVlFRS0RCTkxaWGxtWVdOMGIzSWcKUTI5dGJYVnVhWFI1TVJ3d0dnWURWUVFEREJOTmVTQlFTMGtnVW05dmRDQkRRU0F0SUVjeE1Ga3dFd1lIS29aSQp6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJTUw3a05LR0NqaktmeHd5Qi9zNHF0cEZnMi9hT1ZDZUFCeUVlRE1XCmR6SFlMTU9pZDQ5MDFaUFA1ak1HZ2hxODQreXp6TDV2Q1VYVEtCNDR6SmxVOXFOQ01FQXdEd1lEVlIwVEFRSC8KQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMWM2ZGFKQzlpSVM4UDc1ZVE2cm8weVI0QjVVd0RnWURWUjBQQVFILwpCQVFEQWdHR01Bb0dDQ3FHU000OUJBTUVBMGdBTUVVQ0lRQ2lGTi9vKytaK0FYa1ZVbk0yTTQydm1WVitLUGZMCnZka1JhT0g3RklJTEV3SWdFejBST1BQcFpBMlhGU2ExZG9ma0FZMWg1aUFid2c2Vk9hSTNLZm9hYlZBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        Certificate:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN6RENDQW5PZ0F3SUJBZ0lVUmlhY0p1Vkk2TzhKTHNaajY1QW93aGwxNVcwd0NnWUlLb1pJemowRUF3UXcKU0RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4R3pBWgpCZ05WQkFNTUVrMTVJRkJMU1NCVGRXSWdRMEVnTFNCSE1UQWVGdzB5TkRBeE1qWXhNekUyTXpWYUZ3MHlOVEF4Ck1qTXhNekUyTXpSYU1Fa3hDekFKQmdOVkJBWVRBbE5GTVJ3d0dnWURWUVFLREJOTFpYbG1ZV04wYjNJZ1EyOXQKYlhWdWFYUjVNUnd3R2dZRFZRUUREQk4wWlhOMExXTnRMVEF6TG5CcmFYSjFiR1Z6TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRUlnaGQ2TGVEQXpleGJTQXFUMFBZRVRKS3J6amtNNmlFUmVtYzlYenNDZWc5Ck5iRTJQYjJ5SVNydE9NYUlvMWNBK093WFNPb3hUaFErYmFwZktDdUJqNk9DQVRnd2dnRTBNQjhHQTFVZEl3UVkKTUJhQUZMRGxmM1owNGlxNHVQaFlaVFBnWXFIS3BGUHRNR0VHQ0NzR0FRVUZCd0VCQkZVd1V6QXhCZ2dyQmdFRgpCUWN3QW9ZbGFIUjBjRG92TDIxNUxuQnJhUzlqWlhKMGN5OU5lVkJMU1ZOMVlrTkJMVWN4TG1OeWREQWVCZ2dyCkJnRUZCUWN3QVlZU2FIUjBjRG92TDIxNUxuQnJhUzl2WTNOd01ETUdBMVVkRVFRc01DcUNFM1JsYzNRdFkyMHQKTURNdWNHdHBjblZzWlhPQ0UzUmxjM1F0WTIwdE1ETXVjR3RwY25Wc1pYTXdFd1lEVlIwbEJBd3dDZ1lJS3dZQgpCUVVIQXdFd05RWURWUjBmQkM0d0xEQXFvQ2lnSm9Za2FIUjBjRG92TDIxNUxuQnJhUzlqY214ekwwMTVVRXRKClUzVmlRMEV0UnpFdVkzSnNNQjBHQTFVZERnUVdCQlE1OUhCOVFnNEtYNFNNUjVMdDRPbzMybHZCeERBT0JnTlYKSFE4QkFmOEVCQU1DQmFBd0NnWUlLb1pJemowRUF3UURSd0F3UkFJZ0o1STB6UVZNVk8zdy9zSGpCdEdhTEt3Ugo2dnd1QWNQQkErTnNvc3ozbGVnQ0lCNEpOTmpXb3dmMXpKSFRiNkFXUXR4UDlIL2M4aDBiNWY0aDluN3ptVFc3Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
        Conditions:
          Last Transition Time:  2024-01-26T13:26:35Z
          Message:               Certificate request has been approved by cert-manager.io
          Reason:                cert-manager.io
          Status:                True
          Type:                  Approved
          Last Transition Time:  2024-01-26T13:26:35Z
          Message:               Signed
          Reason:                Issued
          Status:                True
          Type:                  Ready
      Events:
        Type    Reason           Age    From                                       Message
        ----    ------           ----   ----                                       -------
        Normal  cert-manager.io  2m20s  cert-manager-certificaterequests-approver  Certificate request has been approved by cert-manager.io
  5. Describe the ingress to see that a certificate was created:

    BASH
    $ kubectl -n pkirules describe ingress/hellowworld-ingress
    • The output is similar to the following:

      CODE
      Name:             hellowworld-ingress
      Labels:           <none>
      Namespace:        pkirules
      Address:          127.0.0.1
      Ingress Class:    public
      Default backend:  <default>
      TLS:
        test-cm-03.pkirules terminates test-cm-03.pkirules
      Rules:
        Host                 Path  Backends
        ----                 ----  --------
        test-cm-03.pkirules
                             /   helloworld:80 (<error: endpoints "helloworld" not found>)
      Annotations:           cert-manager.io/common-name: test-cm-03.pkirules
                             cert-manager.io/issuer: pkirules-tls
                             cert-manager.io/issuer-group: ejbca-issuer.keyfactor.com
                             cert-manager.io/issuer-kind: Issuer
                             cert-manager.io/private-key-algorithm: ECDSA
                             cert-manager.io/private-key-size: 256
                             cert-manager.io/subject-countries: SE
                             cert-manager.io/subject-organizations: Keyfactor Community
      Events:
        Type    Reason             Age                    From                       Message
        ----    ------             ----                   ----                       -------
        Normal  CreateCertificate  3m17s                  cert-manager-ingress-shim  Successfully created Certificate "test-cm-03.pkirules"
        Normal  Sync               2m19s (x2 over 3m17s)  nginx-ingress-controller   Scheduled for sync
      [user@microk8-01 cert-manager]$

You now have deployed certificates three different ways using the EJBCA cert-manager external issuer integration.

Next steps

In this tutorial, you learned how to configure EJBCA for the cert-manager integration and issue certificates from EJBCA natively through cert-manager. Three different issuance methods were demonstrated for this integration.

Here are some next steps we recommend:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.