SelfSigned
The SelfSigned issuer doesn't represent a certificate authority as such, but
instead denotes that certificates will be signed through "self signing" using
the given private key. This means that the provided private key of the resulting
certificate will be used to sign its own certificate.
This Issuer type is useful for bootstrapping the CA certificate key pair for
some Private Key Infrastructure (PKI), or for otherwise creating simple
certificates. Clients consuming these certificates have no way to trust this
certificate since there is no CA signer apart from itself, and as such, would be
forced to trust the certificate as is.
Note:
CertificateRequeststhat reference a self signed certificate must also contain the annotationcert-manager.io/private-key-secret-name. This is because without access to the private key of the certificate request, theCertificateRequestwill be unable to self sign the certificate. This annotation is added automatically by theCertificatecontroller.
Deployment
Since the SelfSigned Issuer requires no dependency on any other resource to be
configured, it is the simplest to configure. All that is required is for the
SelfSigned stanza to be present in the issuers spec.
apiVersion: cert-manager.io/v1kind: Issuermetadata:name: selfsigned-issuernamespace: sandboxspec:selfSigned: {}
Optionally, you can specify CRL Distribution Points. An array of strings each of which identifies the location of the CRL from which the revocation of this certificate can be checked:
...spec:selfSigned:crlDistributionPoints:- "http://example.com"
Once deployed, you should be able to see immediately that the issuer is ready
for signing. Replace issuers here with clusterissuers if that is what has
been deployed.
$ kubectl get issuers selfsigned-issuer -n sandbox -o wideNAME READY STATUS AGEselfsigned-issuer True 2m
Certificates are now ready to be requested by using the SelfSigned Issuer
named selfsigned-issuer within the sandbox namespace.
