Skip to content

Instantly share code, notes, and snippets.

@weltonrodrigo

weltonrodrigo/cert-manager-ssl-com.md

Last active December 23, 2022 14:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save weltonrodrigo/58b099883206c1f11219bb02a78e0f15 to your computer and use it in GitHub Desktop.
Save weltonrodrigo/58b099883206c1f11219bb02a78e0f15 to your computer and use it in GitHub Desktop.
Download ZIP
How to configure cert-manager to emit certificates from ssl.com?
Raw
cert-manager-ssl-com.md

How to configure cert-manager to emit certificates from ssl.com?

SSL.com has an ACME service for free 90-day ssl certificates.

It's pretty simple to configure cert-manager to use it, you'll need:

  1. A secret containing the HMAC key.
  2. An Issuer or ClusterIssuer configured with your user on ssl.com and their acme url
  3. A ssl.com account

SSL.com ACME credentials

Follow this tutorial to get your ACME credentials: https://archive.is/27ko6#ftoc-heading-2

Note day your HMAC key and key_id. Edit the credential and include the role individual_certificate and validations (not sure if those are really necessary).

Cert-manager configuration

Suppose your HMAC key is TiFfIi57ms0ZRgbYRyVmhHpwtlu0oLTB2COR2ukAyk, your key_id is a4aaa21ddd33 and your ssl.com username is foo@bar.com

Create a secret for your HMAC key in the same namespace of the cert-manager pod (normally called cert-manager). Suppose your HMAC key is TiFfIi57ms0ZRgbYRyVmhHpwtlu0oLTB2COR2ukAyk

  kubectl create secret generic sslcom-eabsecret \
    -n cert-manager --from-literal secret=TiFfIi57ms0ZRgbYRyVmhHpwtlu0oLTB2COR2ukAyk

Create a ClusterIssuer (or Issuer) for ssl.com:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: sslcom
spec:
  acme:
    email: foo@bar.com
    externalAccountBinding:
      keyAlgorithm: HS256
      keyID: a4aaa21ddd33
      keySecretRef:
        key: secret
        name: sslcom-eabsecret
    server: https://acme.ssl.com/sslcom-dv-rsa

From here on, you can proceed exactly like letsencrypt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment