Issuers
The following list contains all known cert-manager issuer integrations.
Tier | Controller | Docs | Issuer | cert-manager version used in tutorial1 | Released within 12 months2 | Is Open Source |
---|---|---|---|---|---|---|
🥇 | acme-issuer (in-tree) | 📄 | ACME | latest | ✔️ | ✔️ |
🥇 | venafi-enhanced-issuer | 📄 | Venafi TLS Protect | v1.12.1 | ✔️ | ❌ |
🥈 | adcs-issuer | 📄 | Microsoft Active Directory Certificate Service | - | ✔️ | ✔️ |
🥈 | aws-privateca-issuer | 📄 | AWS Private Certificate Authority | - | ✔️ | ✔️ |
🥈 | ca-issuer (in-tree) | 📄 | CA issuer | - | ✔️ | ✔️ |
🥈 | command-issuer | 📄 | Keyfactor Command | - | ✔️ | ✔️ |
🥈 | ejbca-issuer | 📄 | EJBCA | - | ✔️ | ✔️ |
🥈 | google-cas-issuer | 📄 | Google Cloud Certificate Authority Service | - | ✔️ | ✔️ |
🥈 | gs-atlas-issuer | 📄 | GlobalSign CA | - | ✔️ | ✔️ |
🥈 | horizon-issuer | 📄 | EVERTRUST Horizon | - | ✔️ | ✔️ |
🥈 | ncm-issuer | 📄 | Nokia Netguard Certificate Manager | - | ✔️ | ✔️ |
🥈 | selfsigned-issuer (in-tree) | 📄 | Self-Signed issuer | - | ✔️ | ✔️ |
🥈 | step-issuer | 📄 | Certificate Authority server | - | ✔️ | ✔️ |
🥈 | tcs-issuer | 📄 | Intel's SGX technology | - | ✔️ | ✔️ |
🥈 | vault-issuer (in-tree) | 📄 | HashiCorp Vault | - | ✔️ | ✔️ |
🥈 | venafi-issuer (in-tree) | 📄 | Venafi TLS Protect | - | ✔️ | ✔️ |
🥉 | cfssl-issuer | 📄 | CFSSL | - | ❌ | ✔️ |
🥉 | freeipa-issuer | 📄 | FreeIPA | - | ❌ | ✔️ |
🥉 | kms-issuer | 📄 | AWS KMS | - | ❌ | ✔️ |
🥉 | origin-ca-issuer | 📄 | Cloudflare Origin CA | - | ❌ | ✔️ |
- The issuers are sorted by their tier and then alphabetically.
- "in-tree" issuers are issuers that are shipped with cert-manager itself.
- These issuers are known to support and honor approval.
If you've created an issuer which you'd like to share, raise a Pull Request to have it added here!
Issuer Tier system
The cert-manager project has a tier system for issuers. This is to help users understand the maturity of the issuer. The tiers are 🥇, 🥈 and 🥉.
NOTE: The cert-manager maintainers can decide to change the criteria and number of tiers at any time.
🥇 Tier (Production-ready)
- 🥈 Tier criteria.
- The issuer has an end-to-end tutorial on how to set it up with cert-manager for use in production.
At the time of checking1, the used cert-manager version has to be still supported (see Supported Releases).
An end-to-end tutorial must include:
- a short explanation on how to install cert-manager (including the used version and a link to https://cert-manager.io/docs/installation/)
- all required steps to install the issuer
- an explanation on how to configure the issuer's Custom Resources
- an explanation on how to issue a certificate using the issuer (using a Certificate resource)
🥈 Tier (Maintained)
- The issuer has had a release in the last 12 months (at the time of checking all issuers2).
🥉 Tier (Unmaintained)
Other
Building New External Issuers
If you're interested in building a new external issuer, check the development documentation.