Knowledge Base

Configure cert-manager and DigiCert ACME service with Kubernetes

Solution ID : SO040121142532

Last Modified : 03/26/2024

Compatible with cert-manager v1.1 or later.

Important: On January 30, 2024, we updated the ACME URL. To create your credentials, you must now use the new URL.

New URL: https://one.digicert.com/mpki/api/v1/acme/v2/directory
Previous URL: https://acme.digicert.com/v2/acme/directory/

Create an ACME Directory URL from CertCentral.
Copy and save the ACME Directory URL, HMAC key, and KID values in a secure location.
Create a namespace for cert-manager.

kubectl create namespace <namespace>
Create a secret in cert-manager for the EAB-HMAC.

kubectl create secret generic <eab_secret_name> --from-literal secret=<eab_hmac> -n <namespace>
Create a YAML configuration file specifying the values for the parameters to add Issuer in cert-manager.

#test-cert-manager-acme.yaml

apiVersion: cert-manager.io/v1

kind: Issuer

metadata:

namespace: <namespace>

spec:

acme:

email: <email_address>

#New enrolments only

server: https://one.digicert.com/mpki/api/v1/acme/v2/directory

externalAccountBinding:

keyID: <eab_kid>

keySecretRef:

key: secret

keyAlgorithm: HS256

privateKeySecretRef:

solvers:

- http01:

ingress:

---

apiVersion: cert-manager.io/v1

kind: Certificate

metadata:

namespace: <namespace>

spec:

dnsNames:

- <certificate_common_name>

secretName: <certificate_private_key_name>

issuerRef:

6. Run the kubectl apply command to request the certificate from the DigiCert ACME server.

kubectl apply -f test-cert-manager-acme.yaml

7. Run the kubectl describe command to verify the ACME account has been registered to the DigiCert ACME server.

kubectl describe issuer -n <namespace>

The output is similar to:

Name: <issuer_name>

Namespace: <namespace>

Labels: <none>

Annotations: <none>

API Version: cert-manager.io/v1

Kind: Issuer

Metadata:

Creation Timestamp: 2020-12-17T12:16:47Z

Generation: 1

Managed Fields:

API Version: cert-manager.io/v1alpha2

Fields Type: FieldsV1

fieldsV1:

f:metadata:

f:annotations:

f:kubectl.kubernetes.io/last-applied-configuration:

f:spec:

f:acme:

f:email:

f:externalAccountBinding:

f:keyAlgorithm:

f:keyID:

f:keySecretRef:

f:key:

f:name:

f:privateKeySecretRef:

f:name:

f:server:

f:skipTLSVerify:

f:solvers:

Manager: kubectl-client-side-apply

Operation: Update

Time: 2020-12-17T12:16:47Z

API Version: cert-manager.io/v1

Fields Type: FieldsV1

fieldsV1:

f:status:

f:acme:

f:lastRegisteredEmail:

f:uri:

f:conditions:

Manager: controller

Operation: Update

Time: 2020-12-17T12:16:49Z

Resource Version: 421519

Self Link: /apis/cert-manager.io/v1/namespaces/acme-cert-manager-test/issuers/test-acme

UID: 0a6f67ac-30d9-4e97-876f-4773b2b0a21e

Spec:

Acme:

Email: <email>

External Account Binding:

Key Algorithm: HS256

Key ID: <eab_kid>

Key Secret Ref:

Key: secret

Name: <eab_secret_name>

Preferred Chain:

Private Key Secret Ref:

Name: <account_private_key_name>

Server: https://one.digicert.com/mpki/api/v1/acme/v2/directory

Skip TLS Verify: true

Solvers:

http01:

Ingress:

Class: nginx

Status:

Acme:

Last Registered Email: <email>

Uri: <unique_account_url>

Conditions:

Last Transition Time: 2020-12-17T12:16:49Z

Message: The ACME account was registered with the ACME server

Reason: ACMEAccountRegistered

Status: True

Type: Ready

Events:

8. Once the ACME account is registered, run the following commands:

To check the certificate request status:

kubectl describe certificaterequest -n <namespace>

The output is similar to:

#certificaterequest output

Conditions:

Last Transition Time: 2020-12-17T17:29:27Z

Message: Certificate fetched from issuer successfully

Reason: Issued

Status: True

Type: Ready

Events: <none>

To check the certificate status:

kubectl describe certificate -n <namespace>

The output is similar to:

#certificate output

Spec:

Dns Names:

<certificate_common_name>

Issuer Ref:

Name: <issuer_name>

Secret Name: <certificate_secret_name>

Status:

Conditions:

Last Transition Time: 2020-12-17T17:29:27Z

Message: Certificate is up to date and has not expired

Reason: Ready

Status: True

Type: Ready

Not After: 2021-12-21T23:59:59Z

Not Before: 2020-12-17T00:00:00Z

Renewal Time: 2021-11-21T23:59:59Z

Revision: 1

Events:

Note: If an ACME Directory URL is used for multiple issuances, replace the Kind attribute of an Issuer to ClusterIssuer and remove the metadata:namespace attributes.

However, we recommend you to keep the unique Issuer per namespace to have a mutually exclusive operation.

choose your language

Knowledge Base

Configure cert-manager and DigiCert ACME service with Kubernetes

Compatible with cert-manager v1.1 or later.

Note: If an ACME Directory URL is used for multiple issuances, replace the Kind attribute of an Issuer to ClusterIssuer and remove the metadata:namespace attributes.

However, we recommend you to keep the unique Issuer per namespace to have a mutually exclusive operation.

Support

Products

Solutions

Knowledge Base

Configure cert-manager and DigiCert ACME service with Kubernetes

Compatible with cert-manager v1.1 or later.

Note: If an ACME Directory URL is used for multiple issuances, replace the Kind attribute of an Issuer to ClusterIssuer and remove the metadata:namespace attributes. However, we recommend you to keep the unique Issuer per namespace to have a mutually exclusive operation.

Support

Products

Solutions

Note: If an ACME Directory URL is used for multiple issuances, replace the Kind attribute of an Issuer to ClusterIssuer and remove the metadata:namespace attributes.

However, we recommend you to keep the unique Issuer per namespace to have a mutually exclusive operation.