Bootstrap FreeKB - OpenShift - Create SSL certificate using cert-manager
OpenShift - Create SSL certificate using cert-manager
Updated:   |  OpenShift articles

cert-manager can be used to manage SSL certificates, such as creating a new SSL certificate, renewing an SSL certificate, revoking an SSL certificate, on so on.

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

Before creating a new SSL certificate using cert-manager, you are going to want to list the available issuers. The oc get issuers command can be used to list the issues that can be used by cert-manager. It's fairly common for the oc get issuers command to return "No resources found" since issues are typically a cluster wide resource and not limited to a particular namespace.

~]$ oc get issuers --all-namespaces
No resources found

 

The oc get clusterissuers command can be used to list the issuers that cert-manager can used in any namespace in the OpenShift cluster.

~]$ oc get clusterissuers
NAME                         READY   AGE
public-clusterissuer         True    649d
internal-clusterissuer       True    471d

 

Let's say you have the following in a YAML file. Notice the YAML includes one of the issuers, internal-clusterissuer in this example.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-certificate
  namespace: my-project
spec:
  commonName: my-project-certificate.op.example.com
  dnsNames:
    - "my-project-certificate.op.example.com"
  duration: 8760h0m0s
  isCA: false
  issuerRef:
    kind: ClusterIssuer
    name: internal-clusterissuer
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    rotationPolicy: Always
    size: 2048
  renewBefore: 360h0m0s
  secretName: my-secret
  subject:
    countries:
    - US
    localities:
    - Los Angeles
    organizationalUnits:
    - Information Technology
    organizations:
    - Acme
    provinces:
    - CA
  usages:
  - server auth

 

The oc apply command can be used to create the Certificate resource.

oc apply --filename my-certificate.yml

 

Then the oc get certificates command can be used to list the cert-manager certificates in the namespace the certificate was created in. You want to ensure the certificate READY is True.

]$ oc get certificates --namespace my-project
NAME             READY   SECRET      AGE
my-certificate   True    my-secret   2m37s


 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 5bc760 in the box below so that we can be sure you are a human.