Adding certificates by using the ECDSA algorithm for encryption

With certificate manager, you can encrypt with the ECDSA algorithm. A certificate can specify the key signing algorithm and the key size. Use the keyAlgorithm and keySize parameters to specify your customizations for the private key. If these parameters are not set, a 2048-bit RSA key is created.

Note: apiVersion: certmanager.k8s.io/v1alpha1 is deprecated. Use apiVersion: cert-manager.io/v1.

Creating a certificate with ECDSA

To create a certificate that uses the ECDSA algorithm for encryption, follow the procedure in Creating Certificate manager (cert-manager) certificates, but use the following sample where keyAlgorithm and keySize are required:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ecdsa-ca-cert
  namespace: default
spec:
  secretName: ecdsa-ca-secret
  keyAlgorithm: ecdsa
  keySize: 521
  isCA: true
  issuerRef:
    name: ss-issuer
    kind: Issuer
  commonName: foo1.bar1
  dnsNames:
  - foo1.bar1

Using ECDSA with Issuers

CA Issuer

  1. See the following sample YAML, which uses Certificate manager to create a CA Issuer that uses ECDSA:

     apiVersion: cert-manager.io/v1
     kind: Issuer
     metadata:
       name: ss-issuer
       namespace: default
     spec:
       selfSigned: {}
    
  2. Next, create a CA certificate that is issued from the self-signed Issuer and using the ECDSA key algorithm. See the following sample:

     apiVersion: cert-manager.io/v1
     kind: Certificate
     metadata:
       name: ecdsa-ca-cert
       namespace: default
     spec:
       secretName: ecdsa-ca-secret
       keyAlgorithm: ecdsa
       keySize: 521
       isCA: true
       issuerRef:
         name: ss-issuer
         kind: Issuer
       commonName: foo1.bar1
       dnsNames:
       - foo1.bar1
    
  3. Edit the following sample to create the CA Issuer with the CA certificate:

     apiVersion: cert-manager.io/v1
     kind: Issuer
     metadata:
       name: ecdsa-ca-issuer
       namespace: default
     spec:
       ca:
         secretName: ecdsa-ca-secret
    

Vault Issuer

You can create certificates from a Vault Issuer that uses ECDSA keys instead of RSA by configuring the Vault PKI endpoint certificate update role. For more information about Vault Issuer, see Adding a certificate by using the Vault Issuer.

Go to your Vault server and run the following configuration command and edit the key_bits and key_type:

   vault write auth/approle/role/my-role secret_id_ttl=8760h token_num_uses=0 token_ttl=20m token_max_ttl=30m secret_id_num_uses=0 policies=pki_policy key_type=ec key_bits=521

When you create certificate resources, be sure to use a keySize that matches, or is greater than, the key_bits that you specify in your Vault server:

   key_type=ec
   key_bits=256, 384 or 521

See IBM Certificate manager (cert-manager) for more Certificate manager topics.