The Keyfactor Command external issuer for cert-manager allows you to override default settings in the Issuer and ClusterIssuer resources through the use of annotations. This gives you more granular control on a per-Certificate/CertificateRequest basis.
Here are the supported annotations that can override the default values:
-
command-issuer.keyfactor.com/certificateTemplate: Overrides thecertificateTemplatefield from the resource spec.command-issuer.keyfactor.com/certificateTemplate: "Ephemeral2day"
-
command-issuer.keyfactor.com/certificateAuthorityLogicalName: Specifies the Certificate Authority (CA) logical name to use, overriding the default CA specified in the resource spec.command-issuer.keyfactor.com/certificateAuthorityLogicalName: "InternalIssuingCA1"
-
command-issuer.keyfactor.com/certificateAuthorityHostname: Specifies the Certificate Authority (CA) hostname to use, overriding the default CA specified in the resource spec.command-issuer.keyfactor.com/certificateAuthorityHostname: "example.com"
The Keyfactor Command external issuer for cert-manager also allows you to specify Command Metadata through the use of annotations. Metadata attached to a certificate request will be stored in Command and can be used for reporting and auditing purposes. The syntax for specifying metadata is as follows:
metadata.command-issuer.keyfactor.com/<metadata-field-name>: <metadata-value>📌 The metadata field name must match a name of a metadata field in Command exactly. If the metadata field name does not match, the CSR enrollment will fail.
To apply these annotations, include them in the metadata section of your CertificateRequest resource:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
annotations:
command-issuer.keyfactor.com/certificateTemplate: "Ephemeral2day"
command-issuer.keyfactor.com/certificateAuthorityLogicalName: "InternalIssuingCA1"
metadata.command-issuer.keyfactor.com/ResponsibleTeam: "[email protected]"
# ... other annotations
spec:
# ... the rest of the spec