SelfSigned
The SelfSigned
issuer doesn’t represent a certificate authority as such, but
instead denotes that certificates will be signed through “self signing” using
the given private key. This means that the provided private key of the resulting
certificate will be used to sign its own certificate.
This Issuer
type is useful for bootstrapping the CA certificate key pair for
some Private Key Infrastructure (PKI), or for otherwise creating simple
certificates. Clients consuming these certificates have no way to trust this
certificate since there is no CA signer apart from itself, and as such, would be
forced to trust the certificate as is.
Note:
CertificateRequests
that reference a self signed certificate must also contain the annotationcert-manager.io/private-key-secret-name
. This is because without access to the private key of the certificate request, theCertificateRequest
will be unable to self sign the certificate. This annotation is added automatically by theCertificate
controller.
Deployment
Since the SelfSigned
Issuer
requires no dependency on any other resource to be
configured, it is the simplest to configure. All that is required is for the
SelfSigned
stanza to be present in the issuers spec.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: sandbox
spec:
selfSigned: {}
Optionally, you can specify CRL Distribution Points. An array of strings each of which identifies the location of the CRL from which the revocation of this certificate can be checked:
...
spec:
selfSigned:
crlDistributionPoints:
- "http://example.com"
Once deployed, you should be able to see immediately that the issuer is ready
for signing. Replace issuers
here with clusterissuers
if that is what has
been deployed.
$ kubectl get issuers selfsigned-issuer -n sandbox -o wide
NAME READY STATUS AGE
selfsigned-issuer True 2m
Certificates are now ready to be requested by using the SelfSigned
Issuer
named selfsigned-issuer
within the sandbox
namespace.