Create the ClusterIssuer Resource
A ClusterIssuer is a Kubernetes resource that defines a certificate authority
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. for issuing TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificates across the cluster. Create a ClusterIssuer resource to configure the Keyfactor ACME server as the certificate issuer for the cluster by following the following steps:
-
Create a new yaml file and open it for editing. For example:
nano issuer.yaml
Note: See the following, which describes the format for the YAML files: -
Place the following content into the file. Take note of the information you must enter in red:
Important: When editing the file, be sure to preserve the indenting exactly as shown. YAML requires a very specific file layout to function. If the indenting (multiples of two spaces) or layout is incorrect, you will receive an error when trying to apply the file.apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: keyfactor-acme-issuer spec: acme: email: <email address> server: https://<FQDN URL of the Keyfactor ACME server>/ACME externalAccountBinding: keyID: <Keyfactor ACME KeyID> keySecretRef: name: eab-secret key: secret keyAlgorithm: HS256 privateKeySecretRef: name: keyfactor-issuer-account-key solvers: - http01: ingress: class: nginx - Save the file.
-
Apply the resource to your cluster:
kubectl apply -f issuer.yaml
-
Verify that the account was created successfully using the following command:
kubectl describe clusterissuer
Near the bottom of the result you should see Status: True. If there is an issue with your account, the error message may appear in the Message property for your information.
Tip: If you need to delete and try again, use this command:kubectl delete -f issuer.yaml