External
cert-manager supports external Issuer
types. While external issuers are not
implemented in the main cert-manager repository, they are otherwise treated the
same as any other issuer.
External issuers are typically deployed as a pod which is configured
to watch for CertificateRequest
resources in the cluster whose issuerRef
matches the name of the issuer. External issuers exist outside of the
cert-manager.io
group.
Installation for each issuer may differ; check the documentation for each external issuer for more details on installing, configuring and using it.
Known External Issuers
If you've created an external issuer which you'd like to share, raise a Pull Request to have it added here!
These external issuers are known to support and honor approval.
- kms-issuer: Requests certificates signed using an AWS KMS asymmetric key.
- aws-privateca-issuer: Requests certificates from AWS Private Certificate Authority for cloud native/hybrid environments.
- google-cas-issuer: Used to request certificates signed by private CAs managed by the Google Cloud Certificate Authority Service.
- origin-ca-issuer: Used to request certificates signed by Cloudflare Origin CA to enable TLS between Cloudflare edge and your Kubernetes workloads.
- step-issuer: Requests certificates from the Smallstep Certificate Authority server.
- freeipa-issuer: Requests certificates signed by FreeIPA.
- ADCS Issuer: Requests certificates signed by Microsoft Active Directory Certificate Service. [NOT MAINTAINED]
- CFSSL Issuer: Request certificates signed by a CFSSL
multirootca
instance. - ncm-issuer: Requests certificates from the Nokia Netguard Certificate Manager
- tcs-issuer Requests certificates signed securely using Intel's SGX technology.
Building New External Issuers
If you're interested in building a new external issuer, check the development documentation.