New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possibility to provide full chain with self-issuer CA #6876
Comments
I have the same issue, homeassistant for example requires a fullchain (ca + cert) and a separate key on its configuration: http: Is there anyway to accomplish this with cert-manager? |
I think the additional output formats feature in cert-manager could be used to produce "special" output formats like the full chain. This feature is graduated to beta in cert-manager 1.15 - which means it's enabled by default. |
Dear all
First of all, thank you all the maintainers, commiters and community! Personally, I'm a huge fan of cert-manager :).
My question
Given
is there a possibility to configure cert-manager to provide the full-chain in tls.crt?
While I understood the main concerns being:
we do have exactly such a use-case.
Use-case
We're using Cert-Manager Helm-Charts https://github.com/cert-manager/cert-manager/releases/ in Version 1.13.2 on an Azure Kubernetes Service (AKS). The cert-manager PKI consists of a 2-tier PKI, meaning we have a self-issued CA cluster-issuer on AKS and the corresponding leaf-certificates. Those leaf-certificates are issued with NGINX-Ingress-Controllers, using the built-in cert-manager annotations.
Additionally, an Azure Application Gateway is used to distributed incoming Load to corresponding ingress' on AKS.
The Azure Application Gateway enforces the backends (thus our AKS-Ingress) to present the full-chain (including root-certificates), in order to establish a trust relationship. Please note, that additionally for not-well-known CAs (as in our cert-manager self-issued/-signed CA), the root-certificate must be imported into the Application Gateway's truststore.
Thus, while the setup does provide an independent distribution of the root-certificate, the AppGW still requires the full-chain beeing presented, which contradicts the way cert-manager (incl. self-issued) generates ca.crt and tls.crt.
Further Information
Question
Looking forward to hearing from you.
The text was updated successfully, but these errors were encountered: