CertificateManager custom resource

Use CertificateManager to create TLS/SSL certificates for your web domains and servers.

  • The Operator uses the CertificateManager custom resource to generate certificates for internal server-to-server communication, so that the internal calls are over https.
  • Note: The generated certificates are self signed and you are recommended to acquire your domain certificates externally for production environments.
  • All the certificates generated by this custom resource are signed by the same Certificate Authority.

Transport Layer Security (TLS) and Certificate Authorities (CA)

In a distributed system such as Kubernetes, Transport Layer Security (TLS) and Certificate Authorities (CA) play crucial roles in ensuring secure communication between services.

TLS is used for encrypting the communication between clients and servers to prevent eavesdropping, tampering, and forgery. The CA is a trusted entity that issues digital certificates to authenticate the identity of entities such as servers or clients.
Transport Layer Security certificates
These certificates are used to secure communication channels, ensuring data privacy and integrity between services.
Certificate Authority
This is a trusted body that signs certificates and provides the necessary information to validate the legitimacy of those certificates.

Why is the Certificate Authority important for Transport Layer Security?

The root Certificate Authority plays a vital role in issuing and validating TLS certificates for following reasons.

Trust establishment
A CA validates the identity of the certificate requester such as a server, and then issues a TLS certificate, confirming the identity of the server. Without a trusted CA, clients cannot verify the legitimacy of the server they are communicating with.
Validation process
A TLS certificate is trusted only if it is signed by a trusted CA. When a recipient of a TLS certificate checks its authenticity, the CA verifies whether it was issued by a trusted CA.
Chain of trust
The CA is the foundation of the trust chain. The root CA certificate is self-signed, and intermediate certificates can be used to sign the TLS certificates for individual services. These service certificates are then validated against the root CA, ensuring that the communication remains secure.

For more information, see Key features and benefits of CertificateManager.