kubernetes cert-manager - how to use wildcard ssl as a certificate issuer
I have a wildcard certificate bought from namecheap. So now I am going to use the certificate for all of my sub-domain. For this I need a cluster certificate issuer. We are going to use cert manager. So lets start -
Step 1: Create a secret in the cert-manager namespace name with ca-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: ca-key-pair
namespace: cert-manager
data:
tls.crt: base64 of fullchain-ca.bundle you need full chain, this may help - cat nise_gov_bd.ca-bundle nise_gov_bd.crt > chain.pem
tls.key: base64 cert.keyunknown authority problem solution: cat server.crt server.ca-bundle server.key >> ssl-bundle.crt
here server.crt is the crt file only
server.ca-bundle the bundle file
server.key is the sertificate key
Some more information - fullchain.pem = cert.pem + chain.pem
Typically use chain.pem (or the first certificate in it) when you're asked for a CA bundle or CA certificate. Example - for lets-encrypt we need to use chain.pem for ca certificate.
Then the cert file look like - cat chain.pen cert.pem > fullchain-ca.bundle
You can generate tls.cert and tls.key by following command -
cat fullchain-ca.bundle | base64 -w0
cat cert.key | base64 -w0Now apply the secrets by following command -
kubectl apply -f ca-secrets.yaml
Step 2: now create a certificate issuer name with ca-issuer.yaml
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: k-issuer
namespace: cert-manager
spec:
ca:
secretName: ca-key-pairHere secretName is the secret which we created in step 1 ca-key-pair
Step 3: Now create a certificate name with cert.yaml to test the issuer -
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: test-cert-by-kalyan
spec:
secretName: k-key-pair
dnsNames:
- "*.default.svc.cluster.local"
- "core2.default.com"
isCA: true
issuerRef:
name: k-issuer
kind: ClusterIssuerHere the issuerRef.name and issuerRef.kind is important.
If you want to use with your ingress then just write this in annotations -
cert-manager.io/cluster-issuer: k-issuerThats all we need to do. for more information follow the link CA issuer Cert-Manager If you have any question or problem please comment. I'll reply. Thank you.
