Tutorial - Use EJBCA with cert-manager
Learn how to set up EJBCA to issue certificates with the cert-manager using the EJBCA cert-manager external issuer.
cert-manager is an open-source tool for issuing certificates in Kubernetes, integrating with various Public Key Infrastructure (PKI) providers. EJBCA integrates with cert-manager as an external certificate authority, enabling native integration to seamlessly request certificates through cert-manager, issued from EJBCA.
This tutorial is intended for users who wish to issue certificates in Kubernetes that has cert-manager deployed and wants to use a world-class PKI for the certificate issuance. Whether you have standardized on EJBCA as the corporate PKI, need a PKI that runs in a container, or just want to try something new, this integration is for you.
In this tutorial, you will learn how to:
Create keys and certificate signing request (CSR) to request certificates from EJBCA for the EJBCA cert-manager external issuer
Configure a new Registration Authority (RA) role in EJBCA for the cert-manager integration
Deploy cert-manager using a Helm chart
Deploy the EJBCA cert-manager external issuer using a Helm chart
Create an issuer and cluster issuer
Issue certificates with the EJBCA cert-manager external issuer
Prerequisites
Before you begin, you need:
SSH Access to the Kubernetes host.
Internet access to download the cert-manager components, EJBCA cert-manager external issuer container, and helm charts.
An environment configured following the tutorial videos EJBCA - Getting started with Kubernetes.
Step 1 - Configure EJBCA for the cert-manager integration
The cert-manager RA role will allow the EJBCA cert-manager external issuer credential to connect to EJBCA using the REST API to issue and revoke certificates. Follow these steps to create a new role for the cert-manager RA:
Go to the EJBCA Administration user interface using a web browser.
In the EJBCA Admin UI, under System Functions, click Roles and Access Rules.
Next to the list of available roles, click Add.
For Role name, specify RA-cert-manager and click Add.
The Roles Management page now lists the RA-cert-manager role.To update the access rules for the role, click Access Rules for the RA-cert-manager role.
On the Edit Access Rules page, edit the following:
For Role Template, select RA Administrators.
For Authorized CAs, select My PKISubCA-G1.
For End Entity Profiles, select TLS Client Profile and TLS Server Profile.
Click Save to store the updated access rules for the role.
At the top right of the Edit Access Rules page, click Members.
Members are defined by an attribute from the certificate DN and the serial number:
Match with: Select X509:CN, Common name.
CA: Verify that Management CA is selected for the CA to match on.
Match Value: Specify the name value from the certificate, in this example: "cert-manager-ra-01". Note that this is a case-sensitive matching.
Click Add to add the user to the role.
You have now created a role for the cert-manager RA and can continue preparing to deploy the EJBCA cert-manager external issuer and cert-manager.
Step 2 - Create Key, Certificate Signing Request (CSR), and get the certificate for the RA credential
The EJBCA cert-manager external issuer requires a RA credential to connect to EJBCA for issuing and revoking certificates using the REST API. Follow these steps to create the RA credential:
Create the Key and CSR
SSH to the MicroK8s test host that has EJBCA deployed and configured.
In your terminal, enter the following to create a directory to organize all the files for this tutorial:
BASH$ mkdir cert-manager
Change to the cert-manager directory:
BASH$ cd cert-manager
Create an OpenSSL configuration file for the EJBCA cert-manager external issuer RA certificate:
BASH$ cat > cert-manager-ra-01.conf <<EOF [req] default_bits = 2048 prompt = no encrypt_key = yes distinguished_name = kubelet_serving req_extensions = v3_req [ kubelet_serving ] C = SE O = Keyfactor Community CN = cert-manager-ra-01 [ v3_req ] keyUsage = digitalSignature extendedKeyUsage = clientAuth EOF
Generate the private key and create the CSR using the OpenSSL configuration file:
BASH$ openssl req -new -newkey rsa:2048 -nodes \ -keyout cert-manager-ra-01-key.pem -sha256 \ -out cert-manager-ra-01.csr -config cert-manager-ra-01.conf
Output the contents of the cert-manager-ra-01.csr to use with an upcoming step:
BASH$ cat cert-manager-ra-01.csr
The output is similar to the following:
BASH-----BEGIN CERTIFICATE REQUEST----- MIICwDCCAagCAQAwSDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD b21tdW5pdHkxGzAZBgNVBAMMEmNlcnQtbWFuYWdlci1yYS0wMTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAM9o0DQ051oUyTRgW8mqOYzVpnJmeUcld0Q4 Elg6OpqpWKqcIL0Avk3vsjpBQ9TTm5GUIOMgkaGVwfyiHefT8VReUD2XAouJSe+s INiaTZV4fsEndyQ2DEPhX9Yho2oV7fFMQPJATFZ9cZm4JczKfXtt7ya0aoyYH23t hB+ORT6eF0Eiv7bu/kl3/KlZlg0YxZUbYqKZQq4HbYJtXgEWErLVDKrLbyrc9uF8 5y97eF2N4NmCM+EBS3Smd3UyrGqtuZFhJNF1ST3z9VQoTZBea+ZZO1j5E5fg5i8j Zmrp82rjJWx0WlXpwC6lXL70afGDyzQjF/YTTHA1LgsiUpbkkP8CAwEAAaAzMDEG CSqGSIb3DQEJDjEkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMC MA0GCSqGSIb3DQEBCwUAA4IBAQC3S/u936GVC8ew2K9WtjhHX92/6UYtJ1VJ5wgy KElepwl4Lsp5i+3MFIFRYlYtypM1p9wZjRRnaBcnwmAsXqoYXjoHo5TXlcDXdxcB GRbuv25MoUCxdqWgDEqK3oui/qD3L/3YYLNpygToaDWFPBop8vEpj8qmjcZ4CVkw SvwELGeihJP0Ja+T+0q1NhnyjnYTXYUawxbND/Ma9OSJHnlCkHdprgZq0JB3H2Zq h1yYU/qxh1HdIqmbiRzvD6OqsY/FwvMUwF23DNu5r7N6urv9/sS+KaCZTx3T7ezp umTihw5jwzifQRKyq0A3yW8FtQ8J1hDXCDAvolLJxlUnDfaV -----END CERTIFICATE REQUEST-----
Submit the CSR to EJBCA to get the certificate
Go to the EJBCA RA Web user interface using a web browser.
Click Make New Request and update the following:
Select RA-Administrator for the Certificate Type.
Select Provided by user for Key-pair generation.
Paste the contents of the cert-manager-ra-01.csr from the terminal window into the CSR text field (the PEM output in the terminal window), such as:
CODE-----BEGIN CERTIFICATE REQUEST----- MIICwDCCAagCAQAwSDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD b21tdW5pdHkxGzAZBgNVBAMMEmNlcnQtbWFuYWdlci1yYS0wMTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAM9o0DQ051oUyTRgW8mqOYzVpnJmeUcld0Q4 Elg6OpqpWKqcIL0Avk3vsjpBQ9TTm5GUIOMgkaGVwfyiHefT8VReUD2XAouJSe+s INiaTZV4fsEndyQ2DEPhX9Yho2oV7fFMQPJATFZ9cZm4JczKfXtt7ya0aoyYH23t hB+ORT6eF0Eiv7bu/kl3/KlZlg0YxZUbYqKZQq4HbYJtXgEWErLVDKrLbyrc9uF8 5y97eF2N4NmCM+EBS3Smd3UyrGqtuZFhJNF1ST3z9VQoTZBea+ZZO1j5E5fg5i8j Zmrp82rjJWx0WlXpwC6lXL70afGDyzQjF/YTTHA1LgsiUpbkkP8CAwEAAaAzMDEG CSqGSIb3DQEJDjEkMCIwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMC MA0GCSqGSIb3DQEBCwUAA4IBAQC3S/u936GVC8ew2K9WtjhHX92/6UYtJ1VJ5wgy KElepwl4Lsp5i+3MFIFRYlYtypM1p9wZjRRnaBcnwmAsXqoYXjoHo5TXlcDXdxcB GRbuv25MoUCxdqWgDEqK3oui/qD3L/3YYLNpygToaDWFPBop8vEpj8qmjcZ4CVkw SvwELGeihJP0Ja+T+0q1NhnyjnYTXYUawxbND/Ma9OSJHnlCkHdprgZq0JB3H2Zq h1yYU/qxh1HdIqmbiRzvD6OqsY/FwvMUwF23DNu5r7N6urv9/sS+KaCZTx3T7ezp umTihw5jwzifQRKyq0A3yW8FtQ8J1hDXCDAvolLJxlUnDfaV -----END CERTIFICATE REQUEST-----
Click Upload CSR.
Enter cert-manager-ra-01 for the Username.
Click Download PEM full chain.
Return to the terminal window and open a new tab or terminal window.
In your terminal, enter the following to upload the cert-manager-ra-01.pem to the MicroK8s VM:
BASH$ scp cert-manager-ra-01.pem user@172.16.170.187:~/cert-manager/cert-manager-ra-01.crt
The certificate.pem file is renamed to .crt when uploaded to the K8’s host
Return to the original terminal window opened for connecting to the Kubernetes server.
Output the contents of the cert-manager-ra-01.crt file with the cat command to copy the ManagementCA cert PEM blob:
BASH$ cat cert-manager-ra-01.crt
The output is similar to the following:
CODESubject: CN=cert-manager-ra-01,O=Keyfactor Community,C=SE Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIEfzCCAmegAwIBAgIUdTaxyI6z9SZTQy6cM9ByquOsan4wDQYJKoZIhvcNAQEL BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yNDAxMTExNzEyMzJaFw0yNTAxMDkx NzEyMzFaMEgxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29tbXVu aXR5MRswGQYDVQQDDBJjZXJ0LW1hbmFnZXItcmEtMDEwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDEdW7YbbQnWeYCzt4eE+dKg2rZ9gWD8JIJFsPo8Qbi aCI5otyyqXSdEki/9Z7Zsjo2nhFVG6HhsAsO02e29sJ54QERcAUEHatf1502fwWL Or7P5e4tLd6SsNeuJ74DC8dkppCHYdsS2X9xutqJnYvuQhqnfg84mlUG3my4qAMB G6ultKt8eCq39Be9/LTau9Ur08SWOluvf6DcpHlhtOJzfD3/UOrS4viGwy4hloau xSCQCKMUp51ifj0rGygvNHi58qdsAV2kz1/VCzWu7A4T5paeBAlAaD9shA8aci3R 4x/KEG90gBXViZE/DJDOvxf7/Y7S04hY2ZRl7bnpZNslAgMBAAGjZzBlMB8GA1Ud IwQYMBaAFNf+MZRDSTxfobte/gWABCwE86DSMBMGA1UdJQQMMAoGCCsGAQUFBwMC MB0GA1UdDgQWBBTi+OUsnFKQHh1QWYIZNtIguiGJ9TAOBgNVHQ8BAf8EBAMCB4Aw DQYJKoZIhvcNAQELBQADggIBAAo6rV5JdKRsS8Z31YDdFWRG4D4pU/j15o7wiwSe FiVNACkYiXndoPZP+KaJVFt0FNxw/4ErGxgPLRS/XV9HgTAzCAbAAeGd2mHrMaEX eS1G4aQZd7AOgIDZ7+qSrlBdHpb8vXG6tfFKQcCpZxZmTEcTDfZt/YGS+IHxv9oZ NX7aLz+pOookjvsse4kS1FMYFUDlL5znzqMHLNwmUUzzsC11TiUZ7unG3k3ekkLG F3PSEeMp+y7zmy+skvFQYVDwFywc/2fd+JJ4oFDEPAklM+L+LtmLkhyLHtZzACO0 LeSUnmVVInfQPT1uEtpL0pmbAbXspNf0nDzSxVhnr/dvN1xfKkFnTc2yvxyZ83Yu 1DzDnLgu2HsP/1veyr6E8z8iD7o61CbSt/WiBeEDYNDgs8IUWDgVn026pUoTL8/p dtcAc+g+C0cr2ox6W1o4e2inQjYaXu2MlKkaAx4YTakqC1sXlb8NWRk8l7UUil+L 0e+mFZDxIW3i8MepgXPDa05m4b1ZoXa3EAR8e2++f8nXqJlcjoKQOLLTP64t2r1p mrCjH+xke47uV36MaqIZ/W8Zx7CW1Cwt4wddzniySUjIfa8oB3OSvoHqx7kLfUvc VQWumG2ETi87VSAePUI1DG4aksqTIJ6ZI87Qd/16OUP+9ivwtyPnlemWoMnLiPu7 GNPr -----END CERTIFICATE----- Subject: CN=ManagementCA,O=Keyfactor Community,C=SE Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8 fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja 8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/ q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5 CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R 2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP qMN+i82CAMeU -----END CERTIFICATE-----
Select the PEM blob for the ManagementCA and copy it:
BASHSubject: CN=ManagementCA,O=Keyfactor Community,C=SE Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8 fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja 8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/ q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5 CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R 2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP qMN+i82CAMeU -----END CERTIFICATE-----
Create the ManagementCA.crt file:
BASH$ vim ManagementCA.crt
Enter the letter i to insert text.
Paste the ManagementCA PEM blob into the file:
BASHSubject: CN=ManagementCA,O=Keyfactor Community,C=SE Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8 fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja 8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/ q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5 CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R 2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP qMN+i82CAMeU -----END CERTIFICATE-----
Enter :wq to save and close the file.
The EJBCA cert-manager external issuer RA credential has been created and uploaded to the K8’s server. Continue to the next step to deploy cert-manager and the EJBCA cert-manager external issuer.
Step 3 - Deploy cert-manager
To issue certificates using EJBCA and cert-manager, the cert-manager must be deployed. Using Helm and applying the Kubernetes Custom Resource Definitions (CRDs) gets cert-manager up and running quickly.
To deploy cert-manager, follow these steps:
Continue from the terminal window of the previous step.
Add the cert-manager helm repository:
BASH$ helm repo add jetstack https://charts.jetstack.io
The output is similar to the following:
CODE"jetstack" has been added to your repositories
Update the helm repository cache:
BASH$ helm repo update
The output is similar to the following:
BASHHang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "hashicorp" chart repository ...Successfully got an update from the "jetstack" chart repository Update Complete. ⎈Happy Helming!⎈
Install the cert-manager Custom Resource Definitions:
BASH$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml
The output is similar to the following:
BASHcustomresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io configured customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io configured customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io configured customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io configured customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io configured customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io configured
Deploy cert-manager using helm:
BASH$ helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.13.3
The output is similar to the following:
BASHNAME: cert-manager LAST DEPLOYED: Thu Jan 25 10:52:05 2024 NAMESPACE: cert-manager STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: cert-manager v1.13.3 has been deployed successfully! In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). More information on the different types of issuers and how to configure them can be found in our documentation: https://cert-manager.io/docs/configuration/ For information on how to configure cert-manager to automatically provision Certificates for Ingress resources, take a look at the `ingress-shim` documentation: https://cert-manager.io/docs/usage/ingress/
Deployment of cert-manager is now completed, you can continue to the next step to deploy the EJBCA cert-manager external issuer.
Step 4 - Deploy EJBCA cert-manager external issuer
To complete the integration, the EJBCA cert-manager external issuer container is deployed using Helm. This container is an external issuer for cert-manager which uses the EJBCA REST API to submit certificate requests and revoke certificates.
To deploy the EJBCA cert-manager external issuer, follow these steps:
Continue from the terminal window of the previous step.
Create the name space for the EJBCA cert-manager external issuer:
BASH$ kubectl create namespace ejbca-cert-manager
The output is similar to the following:
BASHnamespace/ejbca-cert-manager created
Create the secret for the cert-manager-ra-01 credential:
BASH$ kubectl -n ejbca-cert-manager create secret tls ejbca-secret --cert=cert-manager-ra-01.crt --key=cert-manager-ra-01-key.pem
The output is similar to the following:
BASHsecret/ejbca-secret created
Create the secret for the EJBCA TLS chain:
BASH$ kubectl -n ejbca-cert-manager create secret generic ejbca-ca-secret --from-file=ca.crt=ManagementCA.crt
The output is similar to the following:
BASHsecret/ejbca-ca-secret created
Add the EJBCA cert-manager external issuer helm repository:
BASH$ helm repo add ejbca-issuer https://keyfactor.github.io/ejbca-cert-manager-issuer
The output is similar to the following:
BASH"ejbca-issuer" has been added to your repositories
Update the helm repository cache:
CODE$ helm repo update
The output is similar to the following:
CODEHang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "ejbca-issuer" chart repository ...Successfully got an update from the "hashicorp" chart repository ...Successfully got an update from the "jetstack" chart repository Update Complete. ⎈Happy Helming!⎈
Deploy the EJBCA cert-manager external issuer:
BASH$ helm install ejbca-cert-manager-issuer ejbca-issuer/ejbca-cert-manager-issuer --namespace ejbca-cert-manager --set image.tag="1.3.2"
The output is similar to the following:
BASHNAME: ejbca-cert-manager-issuer LAST DEPLOYED: Thu Jan 25 08:52:16 2024 NAMESPACE: ejbca-cert-manager STATUS: deployed REVISION: 1 TEST SUITE: None
Create a namespace for issuing certificates with the EJBCA cert-manager external issuer:
BASH$ kubectl create namespace pkirules
The output is similar to the following:
BASHnamespace/pkirules created
Create the issuer.yaml file:
BASHcat > issuer.yaml <<EOF apiVersion: ejbca-issuer.keyfactor.com/v1alpha1 kind: Issuer metadata: namespace: pkirules labels: # Customize to to your deployment, but these are optional app.kubernetes.io/name: issuer app.kubernetes.io/instance: pkirules-tls app.kubernetes.io/part-of: ejbca-issuer app.kubernetes.io/created-by: ejbca-issuer name: pkirules-tls spec: hostname: "ejbca-internal.ejbca-k8s" ejbcaSecretName: "ejbca-secret" certificateAuthorityName: "MyPKISubCA-G1" certificateProfileName: "TLS Server Profile" endEntityProfileName: "TLS Server Profile" caBundleSecretName: ejbca-ca-secret EOF
Apply the issuer.yaml file to create an issuer in the pkirules namespace:
CODE$ kubectl apply -f issuer.yaml
The output is similar to the following:
BASHissuer.ejbca-issuer.keyfactor.com/pkirules-tls created
Create the clusterissuer.yaml file:
BASH$ cat > clusterissuer.yaml <<EOF apiVersion: ejbca-issuer.keyfactor.com/v1alpha1 kind: ClusterIssuer metadata: namespace: pkirules labels: # Customize to to your deployment, but these are optional app.kubernetes.io/name: clusterissuer app.kubernetes.io/instance: clusterissuer-pkirules app.kubernetes.io/part-of: ejbca-issuer app.kubernetes.io/created-by: ejbca-issuer name: clusterissuer-pkirules spec: hostname: "ejbca-internal.ejbca-k8s" ejbcaSecretName: "ejbca-secret" certificateAuthorityName: "MyPKISubCA-G1" certificateProfileName: "TLS Server Profile" endEntityProfileName: "TLS Server Profile" caBundleSecretName: ejbca-ca-secret EOF
Apply the clusterissuer.yaml to create an issuer that uses EJBCA fro the Kubernetes cluster:
BASH$ kubectl apply -f clusterissuer.yaml
The output is similar to the following:
BASHclusterissuer.ejbca-issuer.keyfactor.com/clusterissuer-pkirules created
Get the issuers.ejbca-issuer.keyfactor.com:
BASH$ kubectl -n pkirules get issuers.ejbca-issuer.keyfactor.com
The output is similar to the following:
BASHNAME AGE pkirules-tls 1m
Describe the issuers.ejbca-issuer.keyfactor.com:
BASH$ kubectl -n pkirules describe issuers.ejbca-issuer.keyfactor.com
The output is similar to the following:
BASHName: pkirules-tls Namespace: pkirules Labels: app.kubernetes.io/created-by=ejbca-issuer app.kubernetes.io/instance=pkirules-tls app.kubernetes.io/name=issuer app.kubernetes.io/part-of=ejbca-issuer Annotations: <none> API Version: ejbca-issuer.keyfactor.com/v1alpha1 Kind: Issuer Metadata: Creation Timestamp: 2024-01-25T14:02:01Z Generation: 1 Managed Fields: API Version: ejbca-issuer.keyfactor.com/v1alpha1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:kubectl.kubernetes.io/last-applied-configuration: f:labels: .: f:app.kubernetes.io/created-by: f:app.kubernetes.io/instance: f:app.kubernetes.io/name: f:app.kubernetes.io/part-of: f:spec: .: f:caBundleSecretName: f:certificateAuthorityName: f:certificateProfileName: f:ejbcaSecretName: f:endEntityProfileName: f:hostname: Manager: kubectl-client-side-apply Operation: Update Time: 2024-01-25T14:02:01Z API Version: ejbca-issuer.keyfactor.com/v1alpha1 Fields Type: FieldsV1 fieldsV1: f:status: .: f:conditions: Manager: manager Operation: Update Subresource: status Time: 2024-01-25T14:02:01Z Resource Version: 601159 UID: 2f35a08b-c2f7-4612-b5be-bafd6bfaa2ad Spec: Ca Bundle Secret Name: ejbca-ca-secret Certificate Authority Name: MyPKISubCA-G1 Certificate Profile Name: TLS Server Profile Ejbca Secret Name: ejbca-secret End Entity Profile Name: TLS Server Profile Hostname: ejbca-internal.ejbca-k8s Status: Conditions: Last Transition Time: 2024-01-25T14:02:01Z Message: Success Reason: ejbca-issuer.IssuerController.Reconcile Status: True Type: Ready Events: <none>
You now have deployed the EJBCA cert-manager external issuer and can continue with issuing certificates.
Step 5 - Issue certificates with the EJBCA cert-manager external issuer
Now that cert-manager and the EJBCA cert-manager external issuer are deployed and configured, you can issue some certificates. Lets explore issuing a certificate manually, using a certificate object, and deploying a simple deployment that will request a certificate for an ingress.
Manual Issuance
Continue from the terminal window of the previous step.
Create an OpenSSL configuration file to generate TLS certificate CSR:
CODE$ cat > test-cm-01.pkirules.conf <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = SE organizationName = Keyfactor Community commonName = test-cm-01.pkirules [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = test-cm.pkirules EOF
Generate an EC P-256 key using OpenSSL:
BASH$ openssl ecparam -name prime256v1 -genkey -noout -out test-cm-01.pkirules.key
Generate a CSR with the EC Key and OpenSSL configuration file:
BASH$ openssl req -new -sha256 -key test-cm-01.pkirules.key -out test-cm-01.pkirules.csr -config test-cm-01.pkirules.conf
Use base64 to encode the CSR and export it to a variable:
BASH$ CSR64ECODE="$(base64 test-cm-01.pkirules.csr | tr -d \\n)"
Create a certificate request YAML file that is used to manually request a certificate with cert-manager:
BASH$ cat > test-cm-01.pkirules.yaml <<EOF apiVersion: cert-manager.io/v1 kind: CertificateRequest metadata: name: test-cm-01.pkirules namespace: pkirules spec: request: $CSR64ECODE issuerRef: name: pkirules-tls group: ejbca-issuer.keyfactor.com kind: Issuer EOF
Apply the test-cm-01.pkirules.yaml file which creates the certificate request with cert-manager:
BASH$ kubectl apply -f test-cm-01.pkirules.yaml
The output is similar to the following:
BASHcertificaterequest.cert-manager.io/test-cm-01.pkirules created
List the certificate requests in the pkirules namespace:
BASH$ kubectl -n pkirules get CertificateRequest
The output is similar to the following:
BASHNAME APPROVED DENIED READY ISSUER REQUESTOR AGE test-cm-01.pkirules True True pkirules-tls admin 2m18s
Describe the test-cm-01.pkirules certificate request to review the details:
BASH$ kubectl -n pkirules describe CertificateRequest/test-cm-01.pkirules
The output is similar to the following:
BASHName: test-cm-01.pkirules Namespace: pkirules Labels: <none> Annotations: <none> API Version: cert-manager.io/v1 Kind: CertificateRequest Metadata: Creation Timestamp: 2024-01-26T10:29:46Z Generation: 1 Managed Fields: API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: f:conditions: .: k:{"type":"Approved"}: .: f:lastTransitionTime: f:message: f:reason: f:status: f:type: Manager: cert-manager-certificaterequests-approver Operation: Update Subresource: status Time: 2024-01-26T10:29:46Z API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:kubectl.kubernetes.io/last-applied-configuration: f:spec: .: f:issuerRef: .: f:group: f:kind: f:name: f:request: Manager: kubectl-client-side-apply Operation: Update Time: 2024-01-26T10:29:46Z API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: .: f:ca: f:certificate: f:conditions: k:{"type":"Ready"}: .: f:lastTransitionTime: f:message: f:reason: f:status: f:type: Manager: manager Operation: Update Subresource: status Time: 2024-01-26T10:29:46Z Resource Version: 649945 UID: 3d8fffb0-6876-4541-8df2-c8a8ab17ed19 Spec: Groups: system:masters system:authenticated Issuer Ref: Group: ejbca-issuer.keyfactor.com Kind: Issuer Name: pkirules-tls Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQk1qQ0IyUUlCQURCSk1Rc3dDUVlEVlFRR0V3SlRSVEVjTUJvR0ExVUVDZ3dUUzJWNVptRmpkRzl5SUVOdgpiVzExYm1sMGVURWNNQm9HQTFVRUF3d1RkR1Z6ZEMxamJTMHdNUzV3YTJseWRXeGxjekJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQk5Va29xeHB3MGR5ZEQyWVdHSGN2UUNqS21ZbzdBZnVYK2NZeGpqWW5MZnEKVXpHZzkvTkxYM2VRRVlDd2pNTlQ4djNycVd2a2JmNFNmUWlJV29GSFoxMmdMakFzQmdrcWhraUc5dzBCQ1E0eApIekFkTUJzR0ExVWRFUVFVTUJLQ0VIUmxjM1F0WTIwdWNHdHBjblZzWlhNd0NnWUlLb1pJemowRUF3SURTQUF3ClJRSWdKQjArdCtySmZvNVRVYWVCcnFCU1RUYlZnTGVEeTh3Lzd1bFpNanJtTldnQ0lRRFdpNDJPcURHVVBqOHkKK3RWZmxXWTVWUWEreUQ4T1JURDZKMDZ5NHlKRWZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg== UID: admin Username: admin Status: Ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNtVENDQWorZ0F3SUJBZ0lVSjBlTDlJbmxubWNDRWpxT3pPTmZOdFZ2QVRFd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdIaGNOTWpNd01USXpNVFl5TkRRMVdoY05Nemd3Ck1URTVNVFl5TkRRMFdqQklNUXN3Q1FZRFZRUUdFd0pUUlRFY01Cb0dBMVVFQ2d3VFMyVjVabUZqZEc5eUlFTnYKYlcxMWJtbDBlVEViTUJrR0ExVUVBd3dTVFhrZ1VFdEpJRk4xWWlCRFFTQXRJRWN4TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTZqUVhWWk9ha2JQNjFtdG5WVXcvVVl2RzNmQXhRdERBTjZqY0l6bzJLVXpqCmNaSzJkQ3BZUWhpZWdzQ0NLa20xYUhKYXlRNVFTb3hDcVFhUjUyYjZWYU9DQVFRd2dnRUFNQklHQTFVZEV3RUIKL3dRSU1BWUJBZjhDQVFBd0h3WURWUjBqQkJnd0ZvQVUxYzZkYUpDOWlJUzhQNzVlUTZybzB5UjRCNVV3WWdZSQpLd1lCQlFVSEFRRUVWakJVTURJR0NDc0dBUVVGQnpBQ2hpWm9kSFJ3T2k4dmJYa3VjR3RwTDJObGNuUnpMMDE1ClVFdEpVbTl2ZEVOQkxVY3hMbU55ZERBZUJnZ3JCZ0VGQlFjd0FZWVNhSFIwY0RvdkwyMTVMbkJyYVM5dlkzTncKTURZR0ExVWRId1F2TUMwd0s2QXBvQ2VHSldoMGRIQTZMeTl0ZVM1d2Eya3ZZM0pzY3k5TmVWQkxTVkp2YjNSRApRUzFITVM1amNtd3dIUVlEVlIwT0JCWUVGTERsZjNaMDRpcTR1UGhZWlRQZ1lxSEtwRlB0TUE0R0ExVWREd0VCCi93UUVBd0lCaGpBS0JnZ3Foa2pPUFFRREJBTklBREJGQWlBWGN5VjdOdW1PU0RCMDVmeFBqMnRlR3RSWm1vMi8KMklIb0duY3MrNStyaVFJaEFPUEpyZEpTdTYzbFFxRXJwdks2cm1adkxobnE4ZXFHYkF6ekx0WVVseXVWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIyRENDQVg2Z0F3SUJBZ0lVQXV1TDFjL0FvRndzZnhnVXJPdmFSWGxkT1drd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdJQmNOTWpNd01USXpNVFl4T0RVNFdoZ1BNakExCk16QXhNVFV4TmpFNE5UZGFNRWt4Q3pBSkJnTlZCQVlUQWxORk1Sd3dHZ1lEVlFRS0RCTkxaWGxtWVdOMGIzSWcKUTI5dGJYVnVhWFI1TVJ3d0dnWURWUVFEREJOTmVTQlFTMGtnVW05dmRDQkRRU0F0SUVjeE1Ga3dFd1lIS29aSQp6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJTUw3a05LR0NqaktmeHd5Qi9zNHF0cEZnMi9hT1ZDZUFCeUVlRE1XCmR6SFlMTU9pZDQ5MDFaUFA1ak1HZ2hxODQreXp6TDV2Q1VYVEtCNDR6SmxVOXFOQ01FQXdEd1lEVlIwVEFRSC8KQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMWM2ZGFKQzlpSVM4UDc1ZVE2cm8weVI0QjVVd0RnWURWUjBQQVFILwpCQVFEQWdHR01Bb0dDQ3FHU000OUJBTUVBMGdBTUVVQ0lRQ2lGTi9vKytaK0FYa1ZVbk0yTTQydm1WVitLUGZMCnZka1JhT0g3RklJTEV3SWdFejBST1BQcFpBMlhGU2ExZG9ma0FZMWg1aUFid2c2Vk9hSTNLZm9hYlZBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== Certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQW5DZ0F3SUJBZ0lVWStUTkNXdHRLc0RmcXREL0ZpZS9aRSsvYzQ4d0NnWUlLb1pJemowRUF3UXcKU0RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4R3pBWgpCZ05WQkFNTUVrMTVJRkJMU1NCVGRXSWdRMEVnTFNCSE1UQWVGdzB5TkRBeE1qWXhNREU1TkRaYUZ3MHlOVEF4Ck1qTXhNREU1TkRWYU1Fa3hDekFKQmdOVkJBWVRBbE5GTVJ3d0dnWURWUVFLREJOTFpYbG1ZV04wYjNJZ1EyOXQKYlhWdWFYUjVNUnd3R2dZRFZRUUREQk4wWlhOMExXTnRMVEF4TG5CcmFYSjFiR1Z6TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTFTU2lyR25EUjNKMFBaaFlZZHk5QUtNcVppanNCKzVmNXhqR09OaWN0K3BUCk1hRDM4MHRmZDVBUmdMQ013MVB5L2V1cGErUnQvaEo5Q0loYWdVZG5YYU9DQVRVd2dnRXhNQjhHQTFVZEl3UVkKTUJhQUZMRGxmM1owNGlxNHVQaFlaVFBnWXFIS3BGUHRNR0VHQ0NzR0FRVUZCd0VCQkZVd1V6QXhCZ2dyQmdFRgpCUWN3QW9ZbGFIUjBjRG92TDIxNUxuQnJhUzlqWlhKMGN5OU5lVkJMU1ZOMVlrTkJMVWN4TG1OeWREQWVCZ2dyCkJnRUZCUWN3QVlZU2FIUjBjRG92TDIxNUxuQnJhUzl2WTNOd01EQUdBMVVkRVFRcE1DZUNFSFJsYzNRdFkyMHUKY0d0cGNuVnNaWE9DRTNSbGMzUXRZMjB0TURFdWNHdHBjblZzWlhNd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSApBd0V3TlFZRFZSMGZCQzR3TERBcW9DaWdKb1lrYUhSMGNEb3ZMMjE1TG5CcmFTOWpjbXh6TDAxNVVFdEpVM1ZpClEwRXRSekV1WTNKc01CMEdBMVVkRGdRV0JCVFQ4YTJEUTEwSGZCenhPc05LS3J1NVBGYU5LekFPQmdOVkhROEIKQWY4RUJBTUNCYUF3Q2dZSUtvWkl6ajBFQXdRRFNBQXdSUUlnVGhtdTdsTUFZM092Nnk3SmloWmdHMTZRNzYvdgpzVVlGanlYT1NiVEFUZVFDSVFEK2ZRbldlSWRXeVlhYU1HdElhMnVJbURFTE1PeWN1eFZKRVd3YXYvZ3hTQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K Conditions: Last Transition Time: 2024-01-26T10:29:46Z Message: Certificate request has been approved by cert-manager.io Reason: cert-manager.io Status: True Type: Approved Last Transition Time: 2024-01-26T10:29:46Z Message: Signed Reason: Issued Status: True Type: Ready Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal cert-manager.io 3m57s cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io
The certificate can be obtained from the output and decoded with base64 to view:
BASH$ echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5akNDQW5DZ0F3SUJBZ0lVWStUTkNXdHRLc0RmcXREL0ZpZS9aRSsvYzQ4d0NnWUlLb1pJemowRUF3UXcKU0RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4R3pBWgpCZ05WQkFNTUVrMTVJRkJMU1NCVGRXSWdRMEVnTFNCSE1UQWVGdzB5TkRBeE1qWXhNREU1TkRaYUZ3MHlOVEF4Ck1qTXhNREU1TkRWYU1Fa3hDekFKQmdOVkJBWVRBbE5GTVJ3d0dnWURWUVFLREJOTFpYbG1ZV04wYjNJZ1EyOXQKYlhWdWFYUjVNUnd3R2dZRFZRUUREQk4wWlhOMExXTnRMVEF4TG5CcmFYSjFiR1Z6TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTFTU2lyR25EUjNKMFBaaFlZZHk5QUtNcVppanNCKzVmNXhqR09OaWN0K3BUCk1hRDM4MHRmZDVBUmdMQ013MVB5L2V1cGErUnQvaEo5Q0loYWdVZG5YYU9DQVRVd2dnRXhNQjhHQTFVZEl3UVkKTUJhQUZMRGxmM1owNGlxNHVQaFlaVFBnWXFIS3BGUHRNR0VHQ0NzR0FRVUZCd0VCQkZVd1V6QXhCZ2dyQmdFRgpCUWN3QW9ZbGFIUjBjRG92TDIxNUxuQnJhUzlqWlhKMGN5OU5lVkJMU1ZOMVlrTkJMVWN4TG1OeWREQWVCZ2dyCkJnRUZCUWN3QVlZU2FIUjBjRG92TDIxNUxuQnJhUzl2WTNOd01EQUdBMVVkRVFRcE1DZUNFSFJsYzNRdFkyMHUKY0d0cGNuVnNaWE9DRTNSbGMzUXRZMjB0TURFdWNHdHBjblZzWlhNd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSApBd0V3TlFZRFZSMGZCQzR3TERBcW9DaWdKb1lrYUhSMGNEb3ZMMjE1TG5CcmFTOWpjbXh6TDAxNVVFdEpVM1ZpClEwRXRSekV1WTNKc01CMEdBMVVkRGdRV0JCVFQ4YTJEUTEwSGZCenhPc05LS3J1NVBGYU5LekFPQmdOVkhROEIKQWY4RUJBTUNCYUF3Q2dZSUtvWkl6ajBFQXdRRFNBQXdSUUlnVGhtdTdsTUFZM092Nnk3SmloWmdHMTZRNzYvdgpzVVlGanlYT1NiVEFUZVFDSVFEK2ZRbldlSWRXeVlhYU1HdElhMnVJbURFTE1PeWN1eFZKRVd3YXYvZ3hTQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" | base64 -d
The output is similar to the following:
BASH-----BEGIN CERTIFICATE----- MIICyjCCAnCgAwIBAgIUY+TNCWttKsDfqtD/Fie/ZE+/c48wCgYIKoZIzj0EAwQw SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yNDAxMjYxMDE5NDZaFw0yNTAx MjMxMDE5NDVaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t bXVuaXR5MRwwGgYDVQQDDBN0ZXN0LWNtLTAxLnBraXJ1bGVzMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAE1SSirGnDR3J0PZhYYdy9AKMqZijsB+5f5xjGONict+pT MaD380tfd5ARgLCMw1Py/eupa+Rt/hJ9CIhagUdnXaOCATUwggExMB8GA1UdIwQY MBaAFLDlf3Z04iq4uPhYZTPgYqHKpFPtMGEGCCsGAQUFBwEBBFUwUzAxBggrBgEF BQcwAoYlaHR0cDovL215LnBraS9jZXJ0cy9NeVBLSVN1YkNBLUcxLmNydDAeBggr BgEFBQcwAYYSaHR0cDovL215LnBraS9vY3NwMDAGA1UdEQQpMCeCEHRlc3QtY20u cGtpcnVsZXOCE3Rlc3QtY20tMDEucGtpcnVsZXMwEwYDVR0lBAwwCgYIKwYBBQUH AwEwNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3Vi Q0EtRzEuY3JsMB0GA1UdDgQWBBTT8a2DQ10HfBzxOsNKKru5PFaNKzAOBgNVHQ8B Af8EBAMCBaAwCgYIKoZIzj0EAwQDSAAwRQIgThmu7lMAY3Ov6y7JihZgG16Q76/v sUYFjyXOSbTATeQCIQD+fQnWeIdWyYaaMGtIa2uImDELMOycuxVJEWwav/gxSA== -----END CERTIFICATE-----
The certificate is ready to use from the manual request.
Certificate Kind Object Request
Create the test-cm-02.pkirules.yaml file to create a certificate with the certificate kind object:
BASH$ cat > test-cm-02.pkirules.yaml <<EOF apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: test-cm-02.pkirules namespace: pkirules spec: subject: countries: - SE organizations: - Keyfactor Community commonName: test-cm-02.pkirules #dnsNames: #- test-cm-02.pkirules privateKey: algorithm: ECDSA size: 256 secretName: test-cm-02 issuerRef: name: pkirules-tls group: ejbca-issuer.keyfactor.com kind: Issuer EOF
Apply the test-cm-02.pkirules.yaml file which enrolls for a certificate with cert-manager and creates a secret for the private key:
BASH$ kubectl apply -f test-cm-02.pkirules.yaml
The output is similar to the following:
BASHcertificate.cert-manager.io/test-cm-02.pkirules created
List the certificate requests:
BASH$ kubectl -n pkirules get CertificateRequest
The output is similar to the following:
BASHNAME APPROVED DENIED READY ISSUER REQUESTOR AGE test-cm-01.pkirules True True pkirules-tls admin 68m test-cm-02.pkirules-1 True True pkirules-tls system:serviceaccount:cert-manager:cert-manager 4m36s
Describe the test-cm-02.pkirules-1 certificate request:
BASH$ kubectl -n pkirules describe CertificateRequest test-cm-02.pkirules-1
The output is similar to the following:
BASHName: test-cm-02.pkirules-1 Namespace: pkirules Labels: <none> Annotations: cert-manager.io/certificate-name: test-cm-02.pkirules cert-manager.io/certificate-revision: 1 cert-manager.io/private-key-secret-name: test-cm-02.pkirules-qkncz API Version: cert-manager.io/v1 Kind: CertificateRequest Metadata: Creation Timestamp: 2024-01-26T11:33:44Z Generation: 1 Managed Fields: API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: f:conditions: .: k:{"type":"Approved"}: .: f:lastTransitionTime: f:message: f:reason: f:status: f:type: Manager: cert-manager-certificaterequests-approver Operation: Update Subresource: status Time: 2024-01-26T11:33:44Z API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:cert-manager.io/certificate-name: f:cert-manager.io/certificate-revision: f:cert-manager.io/private-key-secret-name: f:ownerReferences: .: k:{"uid":"9298479a-3cc1-4370-9146-a1c361007c4a"}: f:spec: .: f:issuerRef: .: f:group: f:kind: f:name: f:request: Manager: cert-manager-certificates-request-manager Operation: Update Time: 2024-01-26T11:33:44Z API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: .: f:ca: f:certificate: f:conditions: k:{"type":"Ready"}: .: f:lastTransitionTime: f:message: f:reason: f:status: f:type: Manager: manager Operation: Update Subresource: status Time: 2024-01-26T11:33:44Z Owner References: API Version: cert-manager.io/v1 Block Owner Deletion: true Controller: true Kind: Certificate Name: test-cm-02.pkirules UID: 9298479a-3cc1-4370-9146-a1c361007c4a Resource Version: 662225 UID: 8e9a8b60-07fa-4573-b1fe-23f3e67e2c39 Spec: Extra: authentication.kubernetes.io/pod-name: cert-manager-55cf8685cb-tztzk authentication.kubernetes.io/pod-uid: 6c69ccc4-46d3-45fd-a942-ec0df90a7ecc Groups: system:serviceaccounts system:serviceaccounts:cert-manager system:authenticated Issuer Ref: Group: ejbca-issuer.keyfactor.com Kind: Issuer Name: pkirules-tls Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQklUQ0J5UUlCQURCSk1Rc3dDUVlEVlFRR0V3SlRSVEVjTUJvR0ExVUVDaE1UUzJWNVptRmpkRzl5SUVOdgpiVzExYm1sMGVURWNNQm9HQTFVRUF4TVRkR1Z6ZEMxamJTMHdNaTV3YTJseWRXeGxjekJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQkdQWXFsU3hhM0xIUUhCYW9aMkVKNnVxcnNPb2xrQjV1UnBReHJPZzc1SDAKdEUzR3UvNFd5YW9jTVRqTWtPQlBjOGsxcUI0Wm52anozWFREeU5ZYmFKaWdIakFjQmdrcWhraUc5dzBCQ1E0eApEekFOTUFzR0ExVWREd1FFQXdJRm9EQUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQjE0ckp4YkRaRlhnc2tDRW42Ci9xN1FvdDF5UncyYWxFWHJ4TEcwc1FLWUN3SWdSeTRidnNtdllWQ0laTVBPd0FKWG9GaW12Zk5HZGJOSXRhb1cKNlJVMGZMRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg== UID: 9ec1c31a-f7af-486c-b881-92d55dd4da1f Username: system:serviceaccount:cert-manager:cert-manager Status: Ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNtVENDQWorZ0F3SUJBZ0lVSjBlTDlJbmxubWNDRWpxT3pPTmZOdFZ2QVRFd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdIaGNOTWpNd01USXpNVFl5TkRRMVdoY05Nemd3Ck1URTVNVFl5TkRRMFdqQklNUXN3Q1FZRFZRUUdFd0pUUlRFY01Cb0dBMVVFQ2d3VFMyVjVabUZqZEc5eUlFTnYKYlcxMWJtbDBlVEViTUJrR0ExVUVBd3dTVFhrZ1VFdEpJRk4xWWlCRFFTQXRJRWN4TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTZqUVhWWk9ha2JQNjFtdG5WVXcvVVl2RzNmQXhRdERBTjZqY0l6bzJLVXpqCmNaSzJkQ3BZUWhpZWdzQ0NLa20xYUhKYXlRNVFTb3hDcVFhUjUyYjZWYU9DQVFRd2dnRUFNQklHQTFVZEV3RUIKL3dRSU1BWUJBZjhDQVFBd0h3WURWUjBqQkJnd0ZvQVUxYzZkYUpDOWlJUzhQNzVlUTZybzB5UjRCNVV3WWdZSQpLd1lCQlFVSEFRRUVWakJVTURJR0NDc0dBUVVGQnpBQ2hpWm9kSFJ3T2k4dmJYa3VjR3RwTDJObGNuUnpMMDE1ClVFdEpVbTl2ZEVOQkxVY3hMbU55ZERBZUJnZ3JCZ0VGQlFjd0FZWVNhSFIwY0RvdkwyMTVMbkJyYVM5dlkzTncKTURZR0ExVWRId1F2TUMwd0s2QXBvQ2VHSldoMGRIQTZMeTl0ZVM1d2Eya3ZZM0pzY3k5TmVWQkxTVkp2YjNSRApRUzFITVM1amNtd3dIUVlEVlIwT0JCWUVGTERsZjNaMDRpcTR1UGhZWlRQZ1lxSEtwRlB0TUE0R0ExVWREd0VCCi93UUVBd0lCaGpBS0JnZ3Foa2pPUFFRREJBTklBREJGQWlBWGN5VjdOdW1PU0RCMDVmeFBqMnRlR3RSWm1vMi8KMklIb0duY3MrNStyaVFJaEFPUEpyZEpTdTYzbFFxRXJwdks2cm1adkxobnE4ZXFHYkF6ekx0WVVseXVWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIyRENDQVg2Z0F3SUJBZ0lVQXV1TDFjL0FvRndzZnhnVXJPdmFSWGxkT1drd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdJQmNOTWpNd01USXpNVFl4T0RVNFdoZ1BNakExCk16QXhNVFV4TmpFNE5UZGFNRWt4Q3pBSkJnTlZCQVlUQWxORk1Sd3dHZ1lEVlFRS0RCTkxaWGxtWVdOMGIzSWcKUTI5dGJYVnVhWFI1TVJ3d0dnWURWUVFEREJOTmVTQlFTMGtnVW05dmRDQkRRU0F0SUVjeE1Ga3dFd1lIS29aSQp6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJTUw3a05LR0NqaktmeHd5Qi9zNHF0cEZnMi9hT1ZDZUFCeUVlRE1XCmR6SFlMTU9pZDQ5MDFaUFA1ak1HZ2hxODQreXp6TDV2Q1VYVEtCNDR6SmxVOXFOQ01FQXdEd1lEVlIwVEFRSC8KQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMWM2ZGFKQzlpSVM4UDc1ZVE2cm8weVI0QjVVd0RnWURWUjBQQVFILwpCQVFEQWdHR01Bb0dDQ3FHU000OUJBTUVBMGdBTUVVQ0lRQ2lGTi9vKytaK0FYa1ZVbk0yTTQydm1WVitLUGZMCnZka1JhT0g3RklJTEV3SWdFejBST1BQcFpBMlhGU2ExZG9ma0FZMWg1aUFid2c2Vk9hSTNLZm9hYlZBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== Certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1RENDQWw2Z0F3SUJBZ0lVUGJYV3I5b1VIVUNzamtsZXBkY3Bva0s5V2JBd0NnWUlLb1pJemowRUF3UXcKU0RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4R3pBWgpCZ05WQkFNTUVrMTVJRkJMU1NCVGRXSWdRMEVnTFNCSE1UQWVGdzB5TkRBeE1qWXhNVEl6TkRSYUZ3MHlOVEF4Ck1qTXhNVEl6TkROYU1Fa3hDekFKQmdOVkJBWVRBbE5GTVJ3d0dnWURWUVFLREJOTFpYbG1ZV04wYjNJZ1EyOXQKYlhWdWFYUjVNUnd3R2dZRFZRUUREQk4wWlhOMExXTnRMVEF5TG5CcmFYSjFiR1Z6TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRVk5aXFWTEZyY3NkQWNGcWhuWVFucTZxdXc2aVdRSG01R2xER3M2RHZrZlMwClRjYTcvaGJKcWh3eE9NeVE0RTl6eVRXb0hobWUrUFBkZE1QSTFodG9tS09DQVNNd2dnRWZNQjhHQTFVZEl3UVkKTUJhQUZMRGxmM1owNGlxNHVQaFlaVFBnWXFIS3BGUHRNR0VHQ0NzR0FRVUZCd0VCQkZVd1V6QXhCZ2dyQmdFRgpCUWN3QW9ZbGFIUjBjRG92TDIxNUxuQnJhUzlqWlhKMGN5OU5lVkJMU1ZOMVlrTkJMVWN4TG1OeWREQWVCZ2dyCkJnRUZCUWN3QVlZU2FIUjBjRG92TDIxNUxuQnJhUzl2WTNOd01CNEdBMVVkRVFRWE1CV0NFM1JsYzNRdFkyMHQKTURJdWNHdHBjblZzWlhNd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3RXdOUVlEVlIwZkJDNHdMREFxb0NpZwpKb1lrYUhSMGNEb3ZMMjE1TG5CcmFTOWpjbXh6TDAxNVVFdEpVM1ZpUTBFdFJ6RXVZM0pzTUIwR0ExVWREZ1FXCkJCUmJDNDJRV2dBNGdwWTdBeU9HU1k2eTJOakpPakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdDZ1lJS29aSXpqMEUKQXdRRFNBQXdSUUloQU9tZWNCejN3YnVxU2psei9PZlNsdDJhOXMzOTMvV05oc2pWOEJ1akRoSE5BaUJ2Y0owNQorWk45UWRmNFEzbDFRY3hmakRnWW1IeWl4SElmci91dlBHbk9Ddz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K Conditions: Last Transition Time: 2024-01-26T11:33:44Z Message: Certificate request has been approved by cert-manager.io Reason: cert-manager.io Status: True Type: Approved Last Transition Time: 2024-01-26T11:33:44Z Message: Signed Reason: Issued Status: True Type: Ready Events: <none>
List the certificates created:
BASH$ kubectl -n pkirules get certificate
The output is similar to the following:
BASHNAME READY SECRET AGE test-cm-02.pkirules True test-cm-02 9m51s
Describe the test-cm-02.pkirules certificate:
BASH$ kubectl -n pkirules describe certificate test-cm-02.pkirules
The output is similar to the following:
BASHName: test-cm-02.pkirules Namespace: pkirules Labels: <none> Annotations: <none> API Version: cert-manager.io/v1 Kind: Certificate Metadata: Creation Timestamp: 2024-01-26T11:33:44Z Generation: 1 Managed Fields: API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: f:revision: Manager: cert-manager-certificates-issuing Operation: Update Subresource: status Time: 2024-01-26T11:33:44Z API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: .: f:conditions: .: k:{"type":"Ready"}: .: f:lastTransitionTime: f:message: f:observedGeneration: f:reason: f:status: f:type: f:notAfter: f:notBefore: f:renewalTime: Manager: cert-manager-certificates-readiness Operation: Update Subresource: status Time: 2024-01-26T11:33:44Z API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:kubectl.kubernetes.io/last-applied-configuration: f:spec: .: f:commonName: f:issuerRef: .: f:group: f:kind: f:name: f:privateKey: .: f:algorithm: f:size: f:secretName: f:subject: .: f:countries: f:organizations: Manager: kubectl-client-side-apply Operation: Update Time: 2024-01-26T11:33:44Z Resource Version: 662231 UID: 9298479a-3cc1-4370-9146-a1c361007c4a Spec: Common Name: test-cm-02.pkirules Issuer Ref: Group: ejbca-issuer.keyfactor.com Kind: Issuer Name: pkirules-tls Private Key: Algorithm: ECDSA Size: 256 Secret Name: test-cm-02 Subject: Countries: SE Organizations: Keyfactor Community Status: Conditions: Last Transition Time: 2024-01-26T11:33:44Z Message: Certificate is up to date and has not expired Observed Generation: 1 Reason: Ready Status: True Type: Ready Not After: 2025-01-23T11:23:43Z Not Before: 2024-01-26T11:23:44Z Renewal Time: 2024-09-24T11:23:43Z Revision: 1 Events: <none>
List the secrets:
BASH$ kubectl -n pkirules get secrets
The output is similar to the following:
BASHNAME TYPE DATA AGE test-cm-02 kubernetes.io/tls 3 13m
Describe the test-cm-02 secret:
BASH$ kubectl -n pkirules describe secrets test-cm-02
The output is similar to the following:
BASHName: test-cm-02 Namespace: pkirules Labels: controller.cert-manager.io/fao=true Annotations: cert-manager.io/alt-names: test-cm-02.pkirules cert-manager.io/certificate-name: test-cm-02.pkirules cert-manager.io/common-name: test-cm-02.pkirules cert-manager.io/ip-sans: cert-manager.io/issuer-group: ejbca-issuer.keyfactor.com cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: pkirules-tls cert-manager.io/subject-countries: SE cert-manager.io/subject-organizations: Keyfactor Community cert-manager.io/uri-sans: Type: kubernetes.io/tls Data ==== ca.crt: 1660 bytes tls.crt: 1005 bytes tls.key: 227 bytes
The certificate can now be used, for example by mounting the secret into a container
Request Certificate for Ingress Using a Simple Deployment
Create the simple deployment YAML file to deploy a container and issue a certificate to ingress:
BASH$ cat > ejbca-cm-issuer-hello-world.yaml <<EOF --- apiVersion: apps/v1 kind: Deployment metadata: name: ejbca-cm-issuer-helloworld-one namespace: pkirules spec: replicas: 1 selector: matchLabels: app: ejbca-cm-issuer-helloworld-one template: metadata: labels: app: ejbca-cm-issuer-helloworld-one spec: containers: - name: ejbca-cm-issuer-helloworld-one image: hashicorp/http-echo:latest ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: helloworld namespace: pkirules spec: #type: ClusterIP ports: - port: 80 targetPort: 80 protocol: TCP selector: app: ejbca-cm-issuer-helloworld-one apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hellowworld-ingress namespace: pkirules annotations: cert-manager.io/issuer: "pkirules-tls" cert-manager.io/issuer-kind: "Issuer" cert-manager.io/issuer-group: "ejbca-issuer.keyfactor.com" cert-manager.io/common-name: "test-cm-03.pkirules" cert-manager.io/subject-organizations: "Keyfactor Community" cert-manager.io/subject-countries: "SE" cert-manager.io/private-key-algorithm: "ECDSA" cert-manager.io/private-key-size: "256" spec: ingressClassName: public tls: - hosts: - test-cm-03.pkirules secretName: test-cm-03.pkirules rules: - host: test-cm-03.pkirules http: paths: - path: / pathType: Prefix backend: service: name: helloworld port: number: 80 EOF
Apply ejbca-cm-issuer-hello-world.yaml file which starts the deployment and requests a certificate for Ingress using cert-manager:
BASH$ kubectl apply -f ejbca-cm-issuer-hello-world.yaml
The output is similar to the following:
BASHdeployment.apps/ejbca-cm-issuer-helloworld-one created ingress.networking.k8s.io/hellowworld-ingress created
List the certificate requests:
BASH$ kubectl -n pkirules get CertificateRequest
The output is similar to the following:
BASHNAME APPROVED DENIED READY ISSUER REQUESTOR AGE test-cm-01.pkirules True True pkirules-tls admin 177m test-cm-02.pkirules-1 True True pkirules-tls system:serviceaccount:cert-manager:cert-manager 113m test-cm-03.pkirules-1 True True pkirules-tls system:serviceaccount:cert-manager:cert-manager 65s
Describe the test-cm-03.pkirules-1 certificate request:
BASH$ kubectl -n pkirules describe CertificateRequest test-cm-03.pkirules-1
The output is similar to the following:
BASHName: test-cm-03.pkirules-1 Namespace: pkirules Labels: <none> Annotations: cert-manager.io/certificate-name: test-cm-03.pkirules cert-manager.io/certificate-revision: 1 cert-manager.io/private-key-secret-name: test-cm-03.pkirules-fkdg8 API Version: cert-manager.io/v1 Kind: CertificateRequest Metadata: Creation Timestamp: 2024-01-26T13:26:35Z Generation: 1 Managed Fields: API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: f:conditions: .: k:{"type":"Approved"}: .: f:lastTransitionTime: f:message: f:reason: f:status: f:type: Manager: cert-manager-certificaterequests-approver Operation: Update Subresource: status Time: 2024-01-26T13:26:35Z API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:cert-manager.io/certificate-name: f:cert-manager.io/certificate-revision: f:cert-manager.io/private-key-secret-name: f:ownerReferences: .: k:{"uid":"9ec95bfc-a645-417c-9634-8e727bdeacf3"}: f:spec: .: f:issuerRef: .: f:group: f:kind: f:name: f:request: f:usages: Manager: cert-manager-certificates-request-manager Operation: Update Time: 2024-01-26T13:26:35Z API Version: cert-manager.io/v1 Fields Type: FieldsV1 fieldsV1: f:status: .: f:ca: f:certificate: f:conditions: k:{"type":"Ready"}: .: f:lastTransitionTime: f:message: f:reason: f:status: f:type: Manager: manager Operation: Update Subresource: status Time: 2024-01-26T13:26:35Z Owner References: API Version: cert-manager.io/v1 Block Owner Deletion: true Controller: true Kind: Certificate Name: test-cm-03.pkirules UID: 9ec95bfc-a645-417c-9634-8e727bdeacf3 Resource Version: 683881 UID: 347ccb7b-fb8c-4e26-97da-d22739a565cc Spec: Extra: authentication.kubernetes.io/pod-name: cert-manager-55cf8685cb-tztzk authentication.kubernetes.io/pod-uid: 6c69ccc4-46d3-45fd-a942-ec0df90a7ecc Groups: system:serviceaccounts system:serviceaccounts:cert-manager system:authenticated Issuer Ref: Group: ejbca-issuer.keyfactor.com Kind: Issuer Name: pkirules-tls Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQlF6Q0I2UUlCQURCSk1Rc3dDUVlEVlFRR0V3SlRSVEVjTUJvR0ExVUVDaE1UUzJWNVptRmpkRzl5SUVOdgpiVzExYm1sMGVURWNNQm9HQTFVRUF4TVRkR1Z6ZEMxamJTMHdNeTV3YTJseWRXeGxjekJaTUJNR0J5cUdTTTQ5CkFnRUdDQ3FHU000OUF3RUhBMElBQkNJSVhlaTNnd00zc1cwZ0trOUQyQkV5U3E4NDVET29oRVhwblBWODdBbm8KUFRXeE5qMjlzaUVxN1RqR2lLTlhBUGpzRjBqcU1VNFVQbTJxWHlncmdZK2dQakE4QmdrcWhraUc5dzBCQ1E0eApMekF0TUI0R0ExVWRFUVFYTUJXQ0UzUmxjM1F0WTIwdE1ETXVjR3RwY25Wc1pYTXdDd1lEVlIwUEJBUURBZ1dnCk1Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQ0lRRC9kS0E1VEpyYzZxMHhEUEhGNkJLRmppWjVJSkhWY3FDMnQ5TnAKSjQrcnRnSWhBTGxzNVpROGlJbmtHNjZ1NTNYdnUveVdIYzJDbGpCdFk3bFUvdSt2VVVKaQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K UID: 9ec1c31a-f7af-486c-b881-92d55dd4da1f Usages: digital signature key encipherment Username: system:serviceaccount:cert-manager:cert-manager Status: Ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNtVENDQWorZ0F3SUJBZ0lVSjBlTDlJbmxubWNDRWpxT3pPTmZOdFZ2QVRFd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdIaGNOTWpNd01USXpNVFl5TkRRMVdoY05Nemd3Ck1URTVNVFl5TkRRMFdqQklNUXN3Q1FZRFZRUUdFd0pUUlRFY01Cb0dBMVVFQ2d3VFMyVjVabUZqZEc5eUlFTnYKYlcxMWJtbDBlVEViTUJrR0ExVUVBd3dTVFhrZ1VFdEpJRk4xWWlCRFFTQXRJRWN4TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRTZqUVhWWk9ha2JQNjFtdG5WVXcvVVl2RzNmQXhRdERBTjZqY0l6bzJLVXpqCmNaSzJkQ3BZUWhpZWdzQ0NLa20xYUhKYXlRNVFTb3hDcVFhUjUyYjZWYU9DQVFRd2dnRUFNQklHQTFVZEV3RUIKL3dRSU1BWUJBZjhDQVFBd0h3WURWUjBqQkJnd0ZvQVUxYzZkYUpDOWlJUzhQNzVlUTZybzB5UjRCNVV3WWdZSQpLd1lCQlFVSEFRRUVWakJVTURJR0NDc0dBUVVGQnpBQ2hpWm9kSFJ3T2k4dmJYa3VjR3RwTDJObGNuUnpMMDE1ClVFdEpVbTl2ZEVOQkxVY3hMbU55ZERBZUJnZ3JCZ0VGQlFjd0FZWVNhSFIwY0RvdkwyMTVMbkJyYVM5dlkzTncKTURZR0ExVWRId1F2TUMwd0s2QXBvQ2VHSldoMGRIQTZMeTl0ZVM1d2Eya3ZZM0pzY3k5TmVWQkxTVkp2YjNSRApRUzFITVM1amNtd3dIUVlEVlIwT0JCWUVGTERsZjNaMDRpcTR1UGhZWlRQZ1lxSEtwRlB0TUE0R0ExVWREd0VCCi93UUVBd0lCaGpBS0JnZ3Foa2pPUFFRREJBTklBREJGQWlBWGN5VjdOdW1PU0RCMDVmeFBqMnRlR3RSWm1vMi8KMklIb0duY3MrNStyaVFJaEFPUEpyZEpTdTYzbFFxRXJwdks2cm1adkxobnE4ZXFHYkF6ekx0WVVseXVWCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIyRENDQVg2Z0F3SUJBZ0lVQXV1TDFjL0FvRndzZnhnVXJPdmFSWGxkT1drd0NnWUlLb1pJemowRUF3UXcKU1RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4SERBYQpCZ05WQkFNTUUwMTVJRkJMU1NCU2IyOTBJRU5CSUMwZ1J6RXdJQmNOTWpNd01USXpNVFl4T0RVNFdoZ1BNakExCk16QXhNVFV4TmpFNE5UZGFNRWt4Q3pBSkJnTlZCQVlUQWxORk1Sd3dHZ1lEVlFRS0RCTkxaWGxtWVdOMGIzSWcKUTI5dGJYVnVhWFI1TVJ3d0dnWURWUVFEREJOTmVTQlFTMGtnVW05dmRDQkRRU0F0SUVjeE1Ga3dFd1lIS29aSQp6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJTUw3a05LR0NqaktmeHd5Qi9zNHF0cEZnMi9hT1ZDZUFCeUVlRE1XCmR6SFlMTU9pZDQ5MDFaUFA1ak1HZ2hxODQreXp6TDV2Q1VYVEtCNDR6SmxVOXFOQ01FQXdEd1lEVlIwVEFRSC8KQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMWM2ZGFKQzlpSVM4UDc1ZVE2cm8weVI0QjVVd0RnWURWUjBQQVFILwpCQVFEQWdHR01Bb0dDQ3FHU000OUJBTUVBMGdBTUVVQ0lRQ2lGTi9vKytaK0FYa1ZVbk0yTTQydm1WVitLUGZMCnZka1JhT0g3RklJTEV3SWdFejBST1BQcFpBMlhGU2ExZG9ma0FZMWg1aUFid2c2Vk9hSTNLZm9hYlZBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== Certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN6RENDQW5PZ0F3SUJBZ0lVUmlhY0p1Vkk2TzhKTHNaajY1QW93aGwxNVcwd0NnWUlLb1pJemowRUF3UXcKU0RFTE1Ba0dBMVVFQmhNQ1UwVXhIREFhQmdOVkJBb01FMHRsZVdaaFkzUnZjaUJEYjIxdGRXNXBkSGt4R3pBWgpCZ05WQkFNTUVrMTVJRkJMU1NCVGRXSWdRMEVnTFNCSE1UQWVGdzB5TkRBeE1qWXhNekUyTXpWYUZ3MHlOVEF4Ck1qTXhNekUyTXpSYU1Fa3hDekFKQmdOVkJBWVRBbE5GTVJ3d0dnWURWUVFLREJOTFpYbG1ZV04wYjNJZ1EyOXQKYlhWdWFYUjVNUnd3R2dZRFZRUUREQk4wWlhOMExXTnRMVEF6TG5CcmFYSjFiR1Z6TUZrd0V3WUhLb1pJemowQwpBUVlJS29aSXpqMERBUWNEUWdBRUlnaGQ2TGVEQXpleGJTQXFUMFBZRVRKS3J6amtNNmlFUmVtYzlYenNDZWc5Ck5iRTJQYjJ5SVNydE9NYUlvMWNBK093WFNPb3hUaFErYmFwZktDdUJqNk9DQVRnd2dnRTBNQjhHQTFVZEl3UVkKTUJhQUZMRGxmM1owNGlxNHVQaFlaVFBnWXFIS3BGUHRNR0VHQ0NzR0FRVUZCd0VCQkZVd1V6QXhCZ2dyQmdFRgpCUWN3QW9ZbGFIUjBjRG92TDIxNUxuQnJhUzlqWlhKMGN5OU5lVkJMU1ZOMVlrTkJMVWN4TG1OeWREQWVCZ2dyCkJnRUZCUWN3QVlZU2FIUjBjRG92TDIxNUxuQnJhUzl2WTNOd01ETUdBMVVkRVFRc01DcUNFM1JsYzNRdFkyMHQKTURNdWNHdHBjblZzWlhPQ0UzUmxjM1F0WTIwdE1ETXVjR3RwY25Wc1pYTXdFd1lEVlIwbEJBd3dDZ1lJS3dZQgpCUVVIQXdFd05RWURWUjBmQkM0d0xEQXFvQ2lnSm9Za2FIUjBjRG92TDIxNUxuQnJhUzlqY214ekwwMTVVRXRKClUzVmlRMEV0UnpFdVkzSnNNQjBHQTFVZERnUVdCQlE1OUhCOVFnNEtYNFNNUjVMdDRPbzMybHZCeERBT0JnTlYKSFE4QkFmOEVCQU1DQmFBd0NnWUlLb1pJemowRUF3UURSd0F3UkFJZ0o1STB6UVZNVk8zdy9zSGpCdEdhTEt3Ugo2dnd1QWNQQkErTnNvc3ozbGVnQ0lCNEpOTmpXb3dmMXpKSFRiNkFXUXR4UDlIL2M4aDBiNWY0aDluN3ptVFc3Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K Conditions: Last Transition Time: 2024-01-26T13:26:35Z Message: Certificate request has been approved by cert-manager.io Reason: cert-manager.io Status: True Type: Approved Last Transition Time: 2024-01-26T13:26:35Z Message: Signed Reason: Issued Status: True Type: Ready Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal cert-manager.io 2m20s cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io
Describe the ingress to see that a certificate was created:
BASH$ kubectl -n pkirules describe ingress/hellowworld-ingress
The output is similar to the following:
CODEName: hellowworld-ingress Labels: <none> Namespace: pkirules Address: 127.0.0.1 Ingress Class: public Default backend: <default> TLS: test-cm-03.pkirules terminates test-cm-03.pkirules Rules: Host Path Backends ---- ---- -------- test-cm-03.pkirules / helloworld:80 (<error: endpoints "helloworld" not found>) Annotations: cert-manager.io/common-name: test-cm-03.pkirules cert-manager.io/issuer: pkirules-tls cert-manager.io/issuer-group: ejbca-issuer.keyfactor.com cert-manager.io/issuer-kind: Issuer cert-manager.io/private-key-algorithm: ECDSA cert-manager.io/private-key-size: 256 cert-manager.io/subject-countries: SE cert-manager.io/subject-organizations: Keyfactor Community Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal CreateCertificate 3m17s cert-manager-ingress-shim Successfully created Certificate "test-cm-03.pkirules" Normal Sync 2m19s (x2 over 3m17s) nginx-ingress-controller Scheduled for sync [user@microk8-01 cert-manager]$
You now have deployed certificates three different ways using the EJBCA cert-manager external issuer integration.
Next steps
In this tutorial, you learned how to configure EJBCA for the cert-manager integration and issue certificates from EJBCA natively through cert-manager. Three different issuance methods were demonstrated for this integration.
Here are some next steps we recommend:
If you are interested in EJBCA Enterprise, read more on Keyfactor EJBCA Enterprise.
If you are interested in EJBCA Community, check out EJBCA Community vs Enterprise or read more on ejbca.org.
If you are an EJBCA Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the EJBCA Community on GitHub Discussions.