Use cert-manager and DigiCert ACME service with Kubernetes
This process works in cert-manager 1.1 and later. It assumes you understand how to use the command line and have access to install software your environment.
Create a certificate profile for ACME enrollment
In DigiCert® Trust Lifecycle Manager, create a certificate profile for third-party ACME integration.
Copy and save the ACME credentials for the certificate profile (URL, HMAC key, and key ID) in a secure location. If you lose these values, you will need to reinstall and reconfigure cert-manager.
Example:
KID: jvJrlqcDpK1cO3IiinRFJ_9L1tiaA6lmUGFmTTg32RM
HMAC key: MWJiMjQ5MDQ5YWUzOTFiN2JlOWNmODBmNDY2NWNhM2U2MTgyYzI2ZDMxZDNhNmJmNzliZTZlNzE5MzIxODk1Yg
Configure cert-manager
Open a terminal window and log in to your environment. Install cert-manager as shown below.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml kubectl get namespaces
Create a namespace for cert-manager.
kubectl create namespace <namespace>
Example:
kubectl create namespace certmanagernew
Create a secret in cert-manager for the external account binding (EAB-HMAC). Use the HMAC key you saved in Create an ACME directory URL above in the
eab_hmac
field below.kubectl create secret generic <eab_secret_name> --from-literal secret=<eab_hmac> -n <namespace>
Example:
kubectl create secret generic testcmanagereab --from-literal secret=MWJiMjQ5MDQ5YWUzOTFiN2JlOWNmODBmNDY2NWNhM2U2MTgyYzI2ZDMxZDNhNmJmNzliZTZlNzE5MzIxODk1Yg -n certmanagernew
Create a YAML (test-cmanager-acme.yaml) configuration file specifying the values for the parameters to add an issuer in cert-manager.
注記
The server URL in the below example will work for local TLM deployments. If you deployed TLM from the cloud, provide the automation URL you received when you set up your ACME profile.
Example: Update the text below with your namespace, email, server, keyID, and keySecretRef name. Save as test-cmanager-acme.yaml.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: testcmanager-issuer namespace: certmanagernew spec: acme: email: t2@digicert.com #New enrollments only server: http://enterprise.dcone.svc.cluster.local/mpki/api/v1/acme/v2/directory skipTLSVerify: true externalAccountBinding: keyID: jvJrlqcDpK1cO3IiinRFJ_9L1tiaA6lmUGFmTTg32RM keySecretRef: name: testcmanagereab key: secret keyAlgorithm: HS256 privateKeySecretRef: name: testcmanageraccountkey solvers: # An empty 'selector' means that this solver matches all domains - selector: {} http01: ingress: class: nginx
Run the command below and wait for the account to be created.
kubectl apply -f test-cmanager-acme.yaml
Run
kubectl describe
to verify the ACME account has been registered to the DigiCert ACME server. Example:kubectl describe issuer -n certmanagernew
Create a YAML (test-cmanager-acme-certificate.yaml) configuration file specifying the values for the parameters to add Issuer in cert-manager.
Example: Update the text below with your namespace, common name, and DNS names.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: testcmanager-certificate-test.winthecustomer.com namespace: certmanagernew spec: secretName: testcmanagercertificate issuerRef: name: testcmanager-issuer commonName: winthecustomer.com dnsNames: - winthecustomer.com
Run
kubectl apply test-cmanager-acme-certificate.yaml
to obtain the certificate.kubectl apply -f test-cmanager-acme-certificate.yaml
Additional commands
Check certificate status:
kubectl describe certificate -n certmanagernew
Fetch certificate from issuer:
kubectl describe certificaterequest -n certmanagernew
Request new certificate with same credentials:
kubectl delete -f test-cmanager-acme-certificate.yaml kubectl apply -f test-cmanager-acme-certificate.yaml
Request new certificate with different credentials:
Run these commands:
kubectl delete -f test-cmanager-acme.yaml kubectl delete -f test-cmanager-acme-certificate.yaml
Delete the EAB secret you created earlier.
Using your updated KID and HMAC key values, follow the above process starting with step 3.
Uninstall commands
To uninstall cert-manager:
kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
Removes all cert-manager resources. Required only in case of reinstallation.
To uninstall namespace:
kubectl delete ns certmanagernew