[kubernetes (K8S) cert-manager] Use cert-manager to create SelfSigned Certificate with kubernetes (K8S)

Posted on Edited on In , Views: Word count in article: 2.5k Reading time ≈ 2 mins.

SelfSigned

The SelfSigned issuer doesn’t represent a certificate authority as such, but instead denotes that certificates will “sign themselves” using a given private key. In other words, the private key of the certificate will be used to sign the certificate itself.

This Issuer type is useful for bootstrapping a root certificate for a custom PKI (Public Key Infrastructure), or for otherwise creating simple ad-hoc certificates.

First, create selfsigned.yaml manifest file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# selfsigned.yaml

---
apiVersion: v1
kind: Namespace
metadata:
  name: cloudolife

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: cloudolife-selfsigned-cluster-issuer
spec:
  selfSigned: {}

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cloudolife-selfsigned-ca-certificate
  namespace: cloudolife
spec:
  duration: 26280h # 3y
  renewBefore: 360h # 15d
  isCA: true
  commonName: cloudolife-selfsigned-ca-certificate
  secretName: cloudolife-ca-issuer-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: cloudolife-selfsigned-cluster-issuer
    kind: ClusterIssuer
    group: cert-manager.io

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cloudolife-ca-issuer
  namespace: cloudolife
spec:
  ca:
    secretName: cloudolife-ca-issuer-secret

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cloudolife-selfsigned-certificate
  namespace: cloudolife
spec:
  duration: 26280h # 3y
  renewBefore: 360h # 15d
  isCA: false
  commonName: cloudolife-selfsigned-certificate
  subject:
    organizations:
      - "CloudoLife Inc."
  dnsNames:
    - cloudolife.com
    - "*.cloudolife.com"
    - example.cloudolife.com
    - "*.example.cloudolife.com"
  secretName: cloudolife-selfsigned-certificate-secret
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  issuerRef:
    name: cloudolife-selfsigned-cluster-issuer
    kind: ClusterIssuer
    group: cert-manager.io

Run kubectl apply command.

1
$ kubectl apply -f selfsigned.yaml

Check Certificates.

1
2
3
4
$ kubectl get Certificates -n cloudolife
NAMESPACE   NAME                              READY   SECRET                                AGE
cloudolife       cloudolife-selfsigned-ca-certificate   True    cloudolife-ca-issuer-secret                144m
cloudolife       cloudolife-selfsigned-certificate      True    cloudolife-selfsigned-certificate-secret   142m

References

[1] SelfSigned | cert-manager - https://cert-manager.io/docs/configuration/selfsigned/

[2] CA | cert-manager - https://cert-manager.io/docs/configuration/ca/

[3] cert-manager - https://cert-manager.io/

[4] Kubernetes Getting Started | Pulumi - https://www.pulumi.com/docs/get-started/kubernetes/

[5] Secrets | Kubernetes - https://kubernetes.io/docs/concepts/configuration/secret/