cert-manager supports external
Issuer types. These external
Issuer types are
issuers that are not support by cert-manager by default, or are 'out of tree',
however are treated the exact same as any other internal
Issuer type. External
issuer types are typically installed by deploying another pod into your cluster
that will watch
CertificateRequest resources and honor them based on
Issuer resources. These issuer types exist outside of the
v0.11, no changes need to be made to cert-manager to support external
The recommended installation process and configuration options for these external issuer types can be found in the documentation of that external issuer project. A list of known external issuer projects that are maintained by their authors are as follows:
step-issuer: Used to request certificates from the Smallstep Certificate Authority server.
awspca-issuer: Used to request certificates from [AWS Private Certificate Authority] (https://aws.amazon.com/certificate-manager/private-certificate-authority/) for cloud native/hybrid environments.
awskms-issuer: Used to request certificates signed using an AWS KMS asymmetric key.
origin-ca-issuer: Used to request certificates signed by Cloudflare Origin CA to enable TLS between Cloudflare edge and your Kubernetes workloads.
To create your own external issuer type, please follow the guidance in the development documentation.