diff --git a/.spelling b/.spelling index a32d71275b2..1612112ea7e 100644 --- a/.spelling +++ b/.spelling @@ -648,6 +648,7 @@ zhangzhiqiangcs arukiidou Richardds kahirokunn +selfsigned-issuer # TEMPORARY # these are temporarily ignored because the spellchecker diff --git a/content/docs/configuration/selfsigned.md b/content/docs/configuration/selfsigned.md index bfc2b39b2b4..22623da1e15 100644 --- a/content/docs/configuration/selfsigned.md +++ b/content/docs/configuration/selfsigned.md @@ -117,6 +117,48 @@ spec: secretName: root-secret ``` +Alternatively, if you are looking to use `ClusterIssuer` for signing `Certificates` anywhere in your cluster with the `SelfSigned` `Certificate` CA, use the YAML below (slight modification to the last step): + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: sandbox +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: my-selfsigned-ca + namespace: cert-manager +spec: + isCA: true + commonName: my-selfsigned-ca + secretName: root-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-issuer + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: my-ca-issuer +spec: + ca: + secretName: root-secret +``` +The "selfsigned-issuer" `ClusterIssuer` is used to issue the Root CA Certificate. Then, "my-ca-issuer" `ClusterIssuer` is used to issue but also sign certificates using the newly created Root CA `Certificate`, which is what you will use for future certificates cluster-wide. + ### CRL Distribution Points You may also optionally specify [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list)