Enroll for a Certificate

Enroll for a certificate using cert-manager through Keyfactor ACME as follows:

1. Create a new file and open it for editing. For example:

   Copy

   nano certificate.yaml

   Note:  See the following, which describes the format for the YAML files:

   https://cert-manager.io/docs/configuration/acme/

2. Place the following content into the file.

   The fields highlighted in red below indicate fields that need to be edited or that you may wish to edit. The fields highlighted in green indicate data provided with secrets in the previous steps.

   Important:  When editing the file, be sure to preserve the indenting exactly as shown. YAML requires a very specific file layout to function. If the indenting (multiples of two spaces) or layout is incorrect, you will receive an error when trying to apply the file.

   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name:  keyfactor-cert-manager-issued
     namespace: default
   spec:
     # Secret names are always required. 
     secretName: keyfactor-cert-manager-tls 
     #duration: 2160h # 90d 
     #renewBefore: 360h # 15d 
     subject: 
       organizations:
         - "OPTIONAL-ORGANIZATION-NAME"
     # The use of the common name field has been deprecated since 2000 and is discouraged from being used. 
     #commonName: "CERTIFICATE-FQDN"
     isCA: false 
     privateKey: 
       algorithm: RSA 
       encoding: PKCS1 
       size: 2048 
     usages: 
       - server auth 
       - client auth 
     # At least one of a DNS Name, URI, or IP address is required. 
     dnsNames: 
       - "CERTIFICATE-DNS-NAME"
     #  -
     #uris:
     #urlSANs:
     #- test.org.com
     #- spiffe://cluster.local/ns/sandbox/sa/example
     #ipAddresses:
     #- 192.168.0.5
     # Issuer references are always required. 
     issuerRef:
       name: keyfactor-acme-issuer 
       # The keyfactor issuer was created as a ClusterIssuer.
       # The default value is Issuer (i.e. a locally namespaced Issuer) 
       kind: ClusterIssuer
       # This is optional since cert-manager will default to this value however 
       # if you are using an external issuer, change this to that issuer group. 
       group: cert-manager.io

3. Save the file.

4. Apply the resource to your cluster:

   Copy

   sudo kubectl apply -f certificate.yaml

5. Verify that the certificate was issued successfully using the following command:

   Copy

   sudo kubectl describe certificate

   The message should say something similar to “successfully issued” and the certificate will appear in your certificate inventory in Keyfactor Command.

   Tip:  If you need to delete the certificate or retry, use this command to delete the resource:

   kubectl delete -f certificate.yaml

   However, if a certificate was issued and you reuse the same certificate.yaml and account, a new certificate will not be issued. Instead the original certificate will be retrieved from your server as long as it is still valid. To force a new enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA)., you need to change information on the certificate in your certificate.yaml file.