Skip to main content

Use cert-manager and DigiCert ACME service with Kubernetes

This process works in cert-manager 1.1 and later. It assumes you understand how to use the command line and have access to install software your environment.

Create a certificate profile for ACME enrollment

  1. In DigiCert​​®​​ Trust Lifecycle Manager, create a certificate profile for third-party ACME integration.

  2. Copy and save the ACME credentials for the certificate profile (URL, HMAC key, and key ID) in a secure location. If you lose these values, you will need to reinstall and reconfigure cert-manager.

Example:

  • KID: jvJrlqcDpK1cO3IiinRFJ_9L1tiaA6lmUGFmTTg32RM

  • HMAC key: MWJiMjQ5MDQ5YWUzOTFiN2JlOWNmODBmNDY2NWNhM2U2MTgyYzI2ZDMxZDNhNmJmNzliZTZlNzE5MzIxODk1Yg

Configure cert-manager

  1. Open a terminal window and log in to your environment. Install cert-manager as shown below.

    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
    kubectl get namespaces
    
  2. Create a namespace for cert-manager.

    kubectl create namespace <namespace>  

    Example:

    kubectl create namespace certmanagernew
  3. Create a secret in cert-manager for the external account binding (EAB-HMAC). Use the HMAC key you saved in Create an ACME directory URL above in the eab_hmac field below.

    kubectl create secret generic <eab_secret_name> --from-literal secret=<eab_hmac> -n <namespace>

    Example:

    kubectl create secret generic testcmanagereab --from-literal secret=MWJiMjQ5MDQ5YWUzOTFiN2JlOWNmODBmNDY2NWNhM2U2MTgyYzI2ZDMxZDNhNmJmNzliZTZlNzE5MzIxODk1Yg -n certmanagernew
  4. Create a YAML (test-cmanager-acme.yaml) configuration file specifying the values for the parameters to add an issuer in cert-manager.

    Opmerking

    The server URL in the below example will work for local TLM deployments. If you deployed TLM from the cloud, provide the automation URL you received when you set up your ACME profile.

    Example: Update the text below with your namespace, email, server, keyID, and keySecretRef name. Save as test-cmanager-acme.yaml.

    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: testcmanager-issuer
      namespace: certmanagernew
    spec:
      acme:
        email: t2@digicert.com
        #New enrollments only
        server: http://enterprise.dcone.svc.cluster.local/mpki/api/v1/acme/v2/directory
        skipTLSVerify: true
        externalAccountBinding:
          keyID: jvJrlqcDpK1cO3IiinRFJ_9L1tiaA6lmUGFmTTg32RM
          keySecretRef:
            name: testcmanagereab
            key: secret
          keyAlgorithm: HS256
        privateKeySecretRef:
          name: testcmanageraccountkey
        solvers:
        # An empty 'selector' means that this solver matches all domains
        - selector: {}
          http01:
            ingress:
              class: nginx
  5. Run the command below and wait for the account to be created.

    kubectl apply -f test-cmanager-acme.yaml
  6. Run kubectl describe to verify the ACME account has been registered to the DigiCert ACME server. Example:

    kubectl describe issuer -n certmanagernew
  7. Create a YAML (test-cmanager-acme-certificate.yaml) configuration file specifying the values for the parameters to add Issuer in cert-manager.

    Example: Update the text below with your namespace, common name, and DNS names.

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: testcmanager-certificate-test.winthecustomer.com
      namespace: certmanagernew
    spec:
      secretName: testcmanagercertificate
      issuerRef:
        name: testcmanager-issuer
      commonName: winthecustomer.com
      dnsNames:
      - winthecustomer.com
  8. Run kubectl apply test-cmanager-acme-certificate.yaml to obtain the certificate.

    kubectl apply -f test-cmanager-acme-certificate.yaml 

Additional commands

Check certificate status:

kubectl describe certificate  -n certmanagernew    

Fetch certificate from issuer:

kubectl describe certificaterequest -n certmanagernew

Request new certificate with same credentials:

kubectl delete -f test-cmanager-acme-certificate.yaml 
kubectl apply -f test-cmanager-acme-certificate.yaml

Request new certificate with different credentials:

  1. Run these commands:

    kubectl delete -f test-cmanager-acme.yaml
    kubectl delete -f test-cmanager-acme-certificate.yaml 
  2. Delete the EAB secret you created earlier.

  3. Using your updated KID and HMAC key values, follow the above process starting with step 3.

Uninstall commands

To uninstall cert-manager:

kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml 

Removes all cert-manager resources. Required only in case of reinstallation.

To uninstall namespace:

kubectl delete ns certmanagernew