This is a cache of https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-creating-certificate.html. It is a snapshot of the page at 2024-11-26T09:16:08.062+0000.
Configuring certificates with an issuer - cert-manager Operator for Red Hat OpenShift | Security and compliance | OpenShift Container Platform 4.16
×

By using the cert-manager Operator for Red Hat OpenShift, you can manage certificates, handling tasks such as renewal and issuance, for workloads within the cluster, as well as components interacting externally to the cluster.

Creating certificates for user workloads

Prerequisites
  • You have access to the cluster with cluster-admin privileges.

  • You have installed the cert-manager Operator for Red Hat OpenShift.

Procedure
  1. Create an issuer. For more information, see "Configuring an issuer" in the "Additional resources" section.

  2. Create a certificate:

    1. Create a YAML file, for example, certificate.yaml, that defines the Certificate object:

      Example certificate.yaml file
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <tls_cert> (1)
        namespace: <issuer_namespace> (2)
      spec:
        isCA: false
        commonName: '<common_name>' (3)
        secretName: <secret_name> (4)
        dnsNames:
        - "<domain_name>" (5)
        issuerRef:
          name: <issuer_name> (6)
          kind: Issuer
      1 Provide a name for the certificate.
      2 Specify the namespace of the issuer.
      3 Specify the common name (CN).
      4 Specify the name of the secret to create that contains the certificate.
      5 Specify the domain name.
      6 Specify the name of the issuer.
    2. Create the Certificate object by running the following command:

      $ oc create -f certificate.yaml
Verification
  • Verify that the certificate is created and ready to use by running the following command:

    $ oc get certificate -w -n <issuer_namespace>

    Once certificate is in Ready status, workloads on your cluster can start using the generated certificate secret.

Creating certificates for the API server

Prerequisites
  • You have access to the cluster with cluster-admin privileges.

  • You have installed version 1.13.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure
  1. Create an issuer. For more information, see "Configuring an issuer" in the "Additional resources" section.

  2. Create a certificate:

    1. Create a YAML file, for example, certificate.yaml, that defines the Certificate object:

      Example certificate.yaml file
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <tls_cert> (1)
        namespace: openshift-config
      spec:
        isCA: false
        commonName: "api.<cluster_base_domain>" (2)
        secretName: <secret_name> (3)
        dnsNames:
        - "api.<cluster_base_domain>" (4)
        issuerRef:
          name: <issuer_name> (5)
          kind: Issuer
      1 Provide a name for the certificate.
      2 Specify the common name (CN).
      3 Specify the name of the secret to create that contains the certificate.
      4 Specify the DNS name of the API server.
      5 Specify the name of the issuer.
    2. Create the Certificate object by running the following command:

      $ oc create -f certificate.yaml
  3. Add the API server named certificate. For more information, see "Adding an API server named certificate" section in the "Additional resources" section.

To ensure the certificates are updated, run the oc login command again after the certificate is created.

Verification
  • Verify that the certificate is created and ready to use by running the following command:

    $ oc get certificate -w -n openshift-config

    Once certificate is in Ready status, API server on your cluster can start using the generated certificate secret.

Creating certificates for the Ingress Controller

Prerequisites
  • You have access to the cluster with cluster-admin privileges.

  • You have installed version 1.13.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure
  1. Create an issuer. For more information, see "Configuring an issuer" in the "Additional resources" section.

  2. Create a certificate:

    1. Create a YAML file, for example, certificate.yaml, that defines the Certificate object:

      Example certificate.yaml file
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <tls_cert> (1)
        namespace: openshift-ingress
      spec:
        isCA: false
        commonName: "apps.<cluster_base_domain>" (2)
        secretName: <secret_name> (3)
        dnsNames:
        - "apps.<cluster_base_domain>" (4)
        - "*.apps.<cluster_base_domain>" (4)
        issuerRef:
          name: <issuer_name> (5)
          kind: Issuer
      1 Provide a name for the certificate.
      2 Specify the common name (CN).
      3 Specify the name of the secret to create that contains the certificate.
      4 Specify the DNS name of the ingress.
      5 Specify the name of the issuer.
    2. Create the Certificate object by running the following command:

      $ oc create -f certificate.yaml
  3. Replace the default ingress certificate. For more information, see "Replacing the default ingress certificate" section in the "Additional resources" section.

Verification
  • Verify that the certificate is created and ready to use by running the following command:

    $ oc get certificate -w -n openshift-ingress

    Once certificate is in Ready status, Ingress Controller on your cluster can start using the generated certificate secret.