The SelfSigned issuer doesn’t represent a certificate authority as such, but instead denotes that certificates will be signed through “self signing” using the given private key. This means that the provided private key of the resulting certificate will be used to sign its own certificate.

This Issuer type is useful for bootstrapping the CA certificate key pair for some Private Key Infrastructure (PKI), or for otherwise creating simple certificates. Clients consuming these certificates have no way to trust this certificate since there is no CA singer apart from itself, and as such, would be forced to trust the certificate as is.

Note: CertificateRequests that reference a self signed certificate must also contain the annotation This is because without access to the private key of the certificate request, the CertificateRequest will be unable to self sign the certificate. This annotation is added automatically by the Certificate controller.


Since the SelfSigned Issuer requires no dependency on any other resource to be configured, it is the simplest to configure. All that is required is for the SelfSigned stanza to be present in the issuers spec.

kind: Issuer
  name: selfsigning-issuer
  namespace: sandbox
  selfSigned: {}

Once deployed, you should be able to see immediately that the issuer is ready for signing. Replace issuers here with clusterissuers if that is what has been deployed.

$ kubectl get issuers selfsigned-issuer -n sandbox -o wide
NAME          READY   STATUS                AGE
self-issuer   True                          2m

Certificates are now ready to be requested by using the SelfSigned Issuer named selfsigned-issuer within the sandbox namespace.