External

cert-manager supports external Issuer types. While external issuers are not implemented in the main cert-manager repository, they are otherwise treated the same as any other issuer.

External issuers are typically deployed as a pod which is configured to watch for CertificateRequest resources in the cluster whose issuerRef matches the name of the issuer. External issuers exist outside of the cert-manager.io group.

Installation for each issuer may differ; check the documentation for each external issuer for more details on installing, configuring and using it.

Known External Issuers

If you've created an external issuer which you'd like to share, raise a Pull Request to have it added here!

These external issuers are known to support and honor approval.

• kms-issuer: Requests certificates signed using an AWS KMS asymmetric key.
• aws-privateca-issuer: Requests certificates from AWS Private Certificate Authority for cloud native/hybrid environments.
• google-cas-issuer: Used to request certificates signed by private CAs managed by the Google Cloud Certificate Authority Service.
• origin-ca-issuer: Used to request certificates signed by Cloudflare Origin CA to enable TLS between Cloudflare edge and your Kubernetes workloads.
• step-issuer: Requests certificates from the Smallstep Certificate Authority server.
• freeipa-issuer: Requests certificates signed by FreeIPA.
• ADCS Issuer: Requests certificates signed by Microsoft Active Directory Certificate Service.
• CFSSL Issuer: Request certificates signed by a CFSSL multirootca instance.

Building New External Issuers

If you're interested in building a new external issuer, check the development documentation.