Tell the project team how you are using cert-manager Take this short anonymous survey

Implementing External Issuers

cert-manager offers a number of core issuer types that represent certificate authorities that can sign certificates when requested. As of v0.11, cert-manager also supports out-of-tree external issuers, and treats them the same as in-tree issuer types. For more information on how to install and configure external issuer types, read the documentation here.


An issuer represents a certificate authority that signs incoming certificate requests. In cert-manager, the CertificateRequest resource represents a single request for a signed certificate, containing the raw certificate request PEM data as well as other information that can be used to describe the designed certificate.

In cert-manager, each issuer type has its own controller that watches these CertificateRequest resources and waits for one to be created which is meant for itself. This is done by the issuerRef stanza on the CertificateRequest which inside contains - name, kind, group. The group denotes an API group, for example which is responsible for all core issuer types. kind denotes the kind resource type of the issuer, such as an Issuer or ClusterIssuer. Finally, the name denotes the name of the issuer resource inside of that kind.

When an issuer controller observes a new CertificateRequest, it ensure that the request is meant for its controller type, and if so, then ensures that the corresponding issuer resource exists in Kubernetes. If these are both true, it will then use the information inside that issuer resource to attempt to create a signed certificate, based upon the certificate request.

Issuers must also ensure that before signing, the CertificateRequest is Approved. If the CertificateRequest is not Approved, the issuer should not process it. Issuers are not responsible for approving CertificateRequests. Issuer implementations may choose to support older versions of cert-manager (pre v1.3) by signing CertificateRequests that will never have an approval condition set. Disabling this gate check should be an optional flag, and the gate enabled by default.

Once a signed certificate has been gathered by the issuer controller, it then updates the status of the CertificateRequest resource with the signed certificate. It is then important to then update the condition status of that resource to a ready state, as this is what is used to signal to higher order controllers, such as the Certificate controller, that the resource is ready to be consumed. Conversely, if the CertificateRequest fails, it is as important to mark the resource as such, as this will also be used to signal to higher order controllers. You can read the valid condition states here.


It is recommended that you make use of the kubebuilder project in order to implement your external issuer controller. This makes it very simple to generate CustomResourceDefinitions and gives you a lot of controller functionality out of the box. If you have further questions on how to implement an external issuer controller, it is best to reach out of the #cert-manager slack channel, or to join the weekly community calls which you will be invited to once you join the Google Group.

Sample External Issuer

There is a Sample External Issuer, which is maintained by the cert-manager authors, and which serves as an example of how to write an external issuer.

The README file has step-by-step instructions on how to write an external issuer using Kubebuilder and controller-runtime, and contains detailed notes on all the tools you will need.