Cert-manager: Allow selecting the certificate format to be used

Created on 17 Dec 2018  路  4Comments  路  Source: jetstack/cert-manager

Is your feature request related to a problem? Please describe.
Currently, certificates keys created by cert-manager are created using the PKCS#1 format, however, in some applications, this format may not be a supported format

Specifically, this is a feature that would enable us to better handle self-signed certificates that we generate using cert-manager for the "Logstash" application, which only currently supports the PCKS#8 format.

Describe the solution you'd like
Similar to keyAlgorithm, allow users to specify a format that the certificate should be made available in.

Depending on preferences here
(1) The format could determine the overall format used for the certificate tls.key and tls.crt values (this is what i was thinking).
(2) Alternatively the format could enable the secret to include multiple files in the formats specified by the user (ie: tls-pkcs8.key, tls-pkcs8.crt)

Describe alternatives you've considered
Currently, we've worked around this by having an initContainer run an openSSL command to convert the contents of the certificate secrets into the format required by the application 鈥斅爃owever, this has downsides with handling certificate rotation within the pod and introduces external dependencies to get the pod and certificate in place.

/kind feature

areapi help wanted kinfeature lifecyclrotten prioritimportant-longterm
Source
picture matthew-muscat
👍7

Most helpful comment

Other formats that might be useful: PFX / PKCF#12 (.NET Core, several things on Windows). Separate chain (Older Apache versions, RabbitMQ), Java keytool keystore (Likely ugly, but useful...) (with single cert, key, chain and CA (if available)), NSS (certutil managed) databases... (e.g. for Apache with mod_nss)

picture mohag on 14 Aug 2019
👍2

All 4 comments

Note: it would suffice to use MarshalPKCS8PrivateKey instead of MarshalPKCS1PrivateKey here => https://github.com/jetstack/cert-manager/blob/3b9aae318f2bb5bff862b6ac048125651274278b/pkg/util/pki/generate.go#L113-L122

Feder1co5oave picture Feder1co5oave on 11 Jan 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

retest-bot picture retest-bot on 8 May 2019

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

retest-bot picture retest-bot on 7 Jun 2019

Other formats that might be useful: PFX / PKCF#12 (.NET Core, several things on Windows). Separate chain (Older Apache versions, RabbitMQ), Java keytool keystore (Likely ugly, but useful...) (with single cert, key, chain and CA (if available)), NSS (certutil managed) databases... (e.g. for Apache with mod_nss)

mohag picture mohag on 14 Aug 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gaieges picture gaieges  路  3Comments
tommy-dk picture tommy-dk  路  4Comments
jonathan-kosgei picture jonathan-kosgei  路  4Comments
jakubknejzlik picture jakubknejzlik  路  3Comments
cpick picture cpick  路  3Comments