4f35c56443
* Added KeyEncoding spec value to Certificate type. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added validation for Certificate Spec field KeyEncoding. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added Encoding PKCS8 function for encoding private keys in generate.go. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Modified the call to the private key encoding function for each issuer in issue.go to pass in the extra KeyEncoding field. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added case for decoding pkcs8 key. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Converting decoded PKCS8 key into crypto.Signer. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added debugging log statements for decoding private keys. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Log messages for decoding private keys. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added logs for decoding private keys. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added debug logs. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Add debug logs. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Modified keys package. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed the key converter to the ssh package. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Testing decoding as pkcs1 key instead. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Trying to convert to crypto.Signer for PKCS8. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Converting to rsa.PrivateKey. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed return to type private key. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changing parsing. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Cleaned up logs. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed logging info. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed debug logging. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fix parse test for new pkcs8 support. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed extra lines. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed extra lines and spaces. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed duplicate PKCS8 functions. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed the KeyEncoding field from an int to a string. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed issue.go for issuers to pass in the certificate when encoding private key. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Corrected capitalization of Spec. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed the error message to use the correct variable. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed selfsigned issue.go to pass in certificate object instead of the keyEncoding. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed error format. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed test to pass in certificate variable into encoding private key function. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed syntax issue. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed parameter for encode private key function in parse_test.go. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed parse test for encode private key function. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed invalid syntax. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Moved the if statement. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Cleaned up go-fmt errors. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Ran bazel run //hack:update-reference-docs. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed encode private key to take keyEncoding instead of certificate. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed setting keyEncoding for ca issue test. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixing passing in the correct type for encoding private key. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixing passing in the correct type for encoding private key. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed parameter passed into encode private key for parse test. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added unit test for encoding different private key types. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed key encoding field from existing test. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added KeyEncoding spec value to Certificate type. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added validation for Certificate Spec field KeyEncoding. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added Encoding PKCS8 function for encoding private keys in generate.go. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Modified the call to the private key encoding function for each issuer in issue.go to pass in the extra KeyEncoding field. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added case for decoding pkcs8 key. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Converting decoded PKCS8 key into crypto.Signer. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added debugging log statements for decoding private keys. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Log messages for decoding private keys. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added logs for decoding private keys. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added debug logs. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Add debug logs. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Modified keys package. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed the key converter to the ssh package. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Testing decoding as pkcs1 key instead. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Trying to convert to crypto.Signer for PKCS8. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Converting to rsa.PrivateKey. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed return to type private key. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changing parsing. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Cleaned up logs. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed logging info. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed debug logging. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fix parse test for new pkcs8 support. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed extra lines. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed extra lines and spaces. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed duplicate PKCS8 functions. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed the KeyEncoding field from an int to a string. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed issue.go for issuers to pass in the certificate when encoding private key. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Corrected capitalization of Spec. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed the error message to use the correct variable. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed selfsigned issue.go to pass in certificate object instead of the keyEncoding. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed error format. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed test to pass in certificate variable into encoding private key function. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed syntax issue. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed parameter for encode private key function in parse_test.go. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed parse test for encode private key function. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed invalid syntax. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Moved the if statement. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Cleaned up go-fmt errors. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Ran bazel run //hack:update-reference-docs. Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Changed encode private key to take keyEncoding instead of certificate. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed setting keyEncoding for ca issue test. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixing passing in the correct type for encoding private key. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixing passing in the correct type for encoding private key. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed parameter passed into encode private key for parse test. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added unit test for encoding different private key types. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed key encoding field from existing test. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed syntax error for declaring constant. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Moving private key all to one line. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added commas after each test case and changed the private key to a pkcs1 rsa private key. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed test errors. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added default error. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Predefined actualEncoding variable. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Undeclared actualEncoding variable. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Declared actualEncoding variable to nil. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Declared actualEncoding variable to empty key encoding type. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixed unit test. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Ran update go-fmt. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Added e2e test for pkcs8 certificate. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Removed unused variable. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Creating issue in pkcs8 e2e test. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Fixing no new variables on the left side of := for err variable. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * Updated docs to mention the key encoding field. Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local> * change venafi issuer to support different cert encoding Signed-off-by: Daniel Morsing <dmo@jetstack.io> * update crds Signed-off-by: Daniel Morsing <dmo@jetstack.io>
150 lines
4.8 KiB
ReStructuredText
150 lines
4.8 KiB
ReStructuredText
============
|
|
Certificates
|
|
============
|
|
|
|
cert-manager has the concept of 'Certificates' that define a desired X.509
|
|
certificate. A Certificate is a namespaced resource that references an
|
|
Issuer or ClusterIssuer for information on how to obtain the certificate.
|
|
|
|
A simple Certificate could be defined as:
|
|
|
|
.. code-block:: yaml
|
|
:linenos:
|
|
:emphasize-lines: 17-20
|
|
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Certificate
|
|
metadata:
|
|
name: acme-crt
|
|
spec:
|
|
secretName: acme-crt-secret
|
|
dnsNames:
|
|
- foo.example.com
|
|
- bar.example.com
|
|
acme:
|
|
config:
|
|
- http01:
|
|
ingressClass: nginx
|
|
domains:
|
|
- foo.example.com
|
|
- bar.example.com
|
|
issuerRef:
|
|
name: letsencrypt-prod
|
|
# We can reference ClusterIssuers by changing the kind here.
|
|
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
|
kind: Issuer
|
|
|
|
This Certificate will tell cert-manager to attempt to use the Issuer
|
|
named ``letsencrypt-prod`` to obtain a certificate key pair for the
|
|
``foo.example.com`` and ``bar.example.com`` domains. If successful, the
|
|
resulting key and certificate will be stored in a secret named
|
|
``acme-crt-secret`` with keys of ``tls.key`` and ``tls.crt`` respectively.
|
|
This secret will live in the same namespace as the ``Certificate`` resource.
|
|
|
|
The ``dnsNames`` field specifies a list of `Subject Alternative Names`_ to be
|
|
associated with the certificate. If the ``commonName`` field is omitted, the
|
|
first element in the list will be the common name.
|
|
|
|
The referenced Issuer must exist in the same namespace as the Certificate.
|
|
A Certificate can alternatively reference a ClusterIssuer which is
|
|
non-namespaced.
|
|
|
|
.. _`Subject Alternative Names`: https://en.wikipedia.org/wiki/Subject_Alternative_Name
|
|
|
|
***************************************
|
|
Certificate Duration and Renewal Window
|
|
***************************************
|
|
|
|
cert-manager Certificate resources also support custom validity durations and
|
|
renewal windows.
|
|
|
|
**Important**: The backend service implementation can choose to generate a
|
|
certificate with a different validity period than what is requested in the
|
|
issuer.
|
|
|
|
Although the duration and renewal periods are specified on the Certificate
|
|
resources, the corresponding Issuer or ClusterIssuer must support this.
|
|
|
|
The table below shows the support state of the different backend services used
|
|
by issuer types:
|
|
|
|
=========== ============================================================
|
|
Issuer Description
|
|
=========== ============================================================
|
|
ACME Only 'renewBefore' supported
|
|
CA Fully supported
|
|
Vault Fully supported (although the requested duration must be lower
|
|
than the configured Vault role's TTL)
|
|
Self Signed Fully supported
|
|
Venafi Fully supported
|
|
=========== ============================================================
|
|
|
|
The default duration for all certificates is 90 days and the default renewal
|
|
windows is 30 days. This means that certificates are considered valid for 3
|
|
months and renewal will be attempted within 1 month of expiration.
|
|
|
|
The *duration* and *renewBefore* parameters must be given in the golang `parseDuration string format <https://golang.org/pkg/time/#ParseDuration>`__.
|
|
|
|
Example Usage
|
|
=============
|
|
Here an example of an issuer specifying the duration and renewal window.
|
|
|
|
The certificate from the previous section is extended with a validity period of
|
|
24 hours and to begin trying to renew 12 hours before the certificate
|
|
expiration.
|
|
|
|
.. code-block:: yaml
|
|
:linenos:
|
|
:emphasize-lines: 7,8
|
|
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Certificate
|
|
metadata:
|
|
name: example
|
|
spec:
|
|
secretName: example-tls
|
|
duration: 24h
|
|
renewBefore: 12h
|
|
dnsNames:
|
|
- foo.example.com
|
|
- bar.example.com
|
|
issuerRef:
|
|
name: my-internal-ca
|
|
kind: Issuer
|
|
|
|
************************
|
|
Certificate Key Encoding
|
|
************************
|
|
|
|
cert-manager Certificate resources support two types of key encodings
|
|
for its private key known as the private key cryptography standards (PKCS).
|
|
The two key encodings are PKCS#1 and PKCS#8.
|
|
|
|
The default encoding is PKCS#1, if the `keyEncoding` field of the Certificate spec is left empty.
|
|
|
|
A limitation exists where once a Certificate resource is generated with a
|
|
specific key encoding, it cannot be generated with a different key encoding.
|
|
|
|
Example Usage
|
|
=============
|
|
Here is an example of a Certificate specifying the use of PKCS#8 encoding on
|
|
its private key.
|
|
|
|
.. code-block:: yaml
|
|
:linenos:
|
|
:emphasize-lines: 7
|
|
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Certificate
|
|
metadata:
|
|
name: example-pkcs8-cert
|
|
spec:
|
|
secretName: example-pkcs8-secret
|
|
keyEncoding: pkcs8
|
|
dnsNames:
|
|
- foo.example.com
|
|
- bar.example.com
|
|
issuerRef:
|
|
name: my-internal-ca
|
|
kind: Issuer
|