Enabling automatic refresh of CA signed certificates

Edit online

Certificates are automatically renewed by the cert-manager-controller pod, however, the renewal is based on the certificate's expiration time.

When a CA certificate is renewed, the certificates signed by the CA, such as the downstream or leaf certificates, are not automatically renewed by default.

To enable automatic refresh of CA signed certificates, add the ibm-cert-manager-operator/refresh-ca-chain: "true" label to the CA certificate spec section.

The following is an example of a CA certificate with the ibm-cert-manager-operator/refresh-ca-chain: "true" label :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: hello-ca-tls
  namespace: foobar
  labels:
    ibm-cert-manager-operator/refresh-ca-chain: "true"
spec:
  secretName: hello-deployment-tls-ca-key-pair
  isCA: true
  issuerRef:
    name: hello-myself-tls
    kind: Issuer
  dnsNames:
  - foo1.bar1

By adding the refresh label, the CA certificate becomes flagged for cert-manager-operator to renew all certificates that are signed by this CA.