Use cert-manager and DigiCert ACME service with Kubernetes

In DigiCert​​®​​ Trust Lifecycle Manager, create a certificate profile for third-party ACME integration.

Copy and save the ACME credentials for the certificate profile (URL, HMAC key, and key ID) in a secure location. If you lose these values, you will need to reinstall and reconfigure cert-manager.

Open a terminal window and log in to your environment. Install cert-manager as shown below.

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
kubectl get namespaces

Create a namespace for cert-manager.

kubectl create namespace <namespace>  

Example:

kubectl create namespace certmanagernew

Create a secret in cert-manager for the external account binding (EAB-HMAC). Use the HMAC key you saved in Create an ACME directory URL above in the eab_hmac field below.

kubectl create secret generic <eab_secret_name> --from-literal secret=<eab_hmac> -n <namespace>

Example:

kubectl create secret generic testcmanagereab --from-literal secret=MWJiMjQ5MDQ5YWUzOTFiN2JlOWNmODBmNDY2NWNhM2U2MTgyYzI2ZDMxZDNhNmJmNzliZTZlNzE5MzIxODk1Yg -n certmanagernew

Create a YAML (test-cmanager-acme.yaml) configuration file specifying the values for the parameters to add an issuer in cert-manager.

Example: Update the text below with your namespace, email, server, keyID, and keySecretRef name. Save as test-cmanager-acme.yaml.

1apiVersion: cert-manager.io/v1
2kind: Issuer
3metadata:
4  name: testcmanager-issuer
5  namespace: certmanagernew
6spec:
7  acme:
8    email: t2@digicert.com
9    #New enrollments only
10    server: http://enterprise.dcone.svc.cluster.local/mpki/api/v1/acme/v2/directory
11    skipTLSVerify: true
12    externalAccountBinding:
13      keyID: jvJrlqcDpK1cO3IiinRFJ_9L1tiaA6lmUGFmTTg32RM
14      keySecretRef:
15        name: testcmanagereab
16        key: secret
17      keyAlgorithm: HS256
18    privateKeySecretRef:
19      name: testcmanageraccountkey
20    solvers:
21    # An empty 'selector' means that this solver matches all domains
22    - selector: {}
23      http01:
24        ingress:
25          class: nginx

Run the command below and wait for the account to be created.

kubectl apply -f test-cmanager-acme.yaml

Run kubectl describe to verify the ACME account has been registered to the DigiCert ACME server. Example:

kubectl describe issuer -n certmanagernew

Create a YAML (test-cmanager-acme-certificate.yaml) configuration file specifying the values for the parameters to add Issuer in cert-manager.

Example: Update the text below with your namespace, common name, and DNS names.

1apiVersion: cert-manager.io/v1
2kind: Certificate
3metadata:
4  name: testcmanager-certificate-test.winthecustomer.com
5  namespace: certmanagernew
6spec:
7  secretName: testcmanagercertificate
8  issuerRef:
9    name: testcmanager-issuer
10  commonName: winthecustomer.com
11  dnsNames:
12  - winthecustomer.com

Run kubectl apply test-cmanager-acme-certificate.yaml to obtain the certificate.

kubectl apply -f test-cmanager-acme-certificate.yaml 

Run these commands:

kubectl delete -f test-cmanager-acme.yaml
kubectl delete -f test-cmanager-acme-certificate.yaml 

Delete the EAB secret you created earlier.

Using your updated KID and HMAC key values, follow the above process starting with step 3.