Refreshing leaf certificates

Certificate chains in cert-manager follow the structure of:

Issuer -> Certificate -> Issuer -> Certificate

A Certificate can be a CA certificate by specifying isCA: true in the Certificate spec section of the yaml file. By default, when a CA certificate is renewed, any downstream or leaf certificates signed by it are not renewed or refreshed. The cert-manager-operator provides an opt-in feature that will automatically refresh leaf certificates when its CA certificate is renewed.

To opt in:

1. Add the following label to the Certificate metadata, ibm-cert-manager-operator/refresh-ca-chain: "true". For example:

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      labels:
        ibm-cert-manager-operator/refresh-ca-chain: "true"
      name: example-ca-certificate
    spec:
      secretName: example-ca-certificate-secret
      issuerRef:
        name: example-issuer
        kind: Issuer
      commonName: example-ca-certificate
      isCA: true
   

Refreshing leaf certificates based on secret

In cases where the start of the Certificate chain is from a Kubernetes secret:

Secret -> Issuer -> Certificate

It is still possible to opt in for leaf certificate refresh. Possible use cases for such a structure are as follows:

• User-provided secret, which contain a certificate
• Copying a Certificate secret from another namespace

To opt in:

1. Add the following label to the Secret metadata, ibm-cert-manager-operator/refresh-ca-chain: "true". For example:

    apiVersion: v1
    kind: Secret
    metadata:
      labels:
        ibm-cert-manager-operator/refresh-ca-chain: "true"
      name: example-ca-secret
    type: kubernetes.io/tls
    data:
      ca.crt: <certificate>
      tls.crt: <certificate>
      tls.key: <private key>