Using IBM Cloud Private Certificate manager (cert-manager)

You can use the IBM Cloud Private cert-manager to create and mount a certificate to a Kubernetes Deployment, StatefulSet, or DaemonSet. You can also create and add a certificate to a Kubernetes Ingress.

Issuer, ClusterIssuer, and Certificate are Kubernetes resource types that were introduced to support certificate generation and lifecycle management. For more information about cert-manager see the cert-manager community documentation .

IBM Cloud Private has one ClusterIssuer, icp-ca-issuer, which holds an IBM Cloud Private self-signed CA certificate and key pair. The certificate and key pair are stored as a Secret, cluster-ca-cert, within the kube-system namespace and are generated when you install IBM Cloud Private. You can create your own Issuers for your own workloads after installation.

See the following list to learn how IBM Cloud Private cert-manager works:

• The Issuer signs new certificates and key pairs.
• The certificate represents an X.509 certificate and key pair for TLS or authentication.
• The certificate is stored as a Kubernetes Secret.
• The certificate is renewed automatically.

For more information about Certificate manager and other configuration tools, see the following product documentation:

• Creating IBM Cloud Private cert-manager certificates
• Creating your own self-signed and CA Issuers
• Adding certificates by using the Vault Issuer
• Adding certificates by using the ECDSA algorithm for encryption

For information about refreshing, replacing and restoring certificates created and managed by Installer, see Certificates in IBM Cloud Private