Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support importing existing root CA #151

Open
ls-jad-elkik opened this issue Aug 30, 2022 · 0 comments
Open

Support importing existing root CA #151

ls-jad-elkik opened this issue Aug 30, 2022 · 0 comments

Comments

@ls-jad-elkik
Copy link

Summary

Would it be possible to provide a root CA that is provisioned elsewhere? I'm thinking of the following use case:

  1. Generate a CSR inter-ca.csr for the intermediate CA inter-ca with the KMS key alias/inter-ca-key and custom subject information
  2. Generate a cert for the intermediate CA inter-ca.crt with the root key that is offline (not on KMS - since it does not allow importing existing asymmetric keys)
  3. Create a KMS issuer using the intermediate certificate inter-ca.crt and the KMS key alias/inter-ca-key

I'm imagining something like this:

---
apiVersion: cert-manager.skyscanner.net/v1alpha1
kind: KMSKey
metadata:
  name: inter-ca-key
spec:
  aliasName: alias/inter-ca-key
  description: a kms-issuer example kms key for inter-ca
  customerMasterKeySpec: RSA_2048
  tags:
    project: kms-issuer
  deletionPolicy: Delete
  deletionPendingWindowInDays: 7

---
apiVersion: cert-manager.io/v1
kind: KMSImportedCertificate
metadata:
  name: issuer-ca-imported-cert
  namespace: default
spec:
  duration: 8760h # 1 year
  # renewBefore: 360h # 15d
  subject:
    organizations:
      - skyscanner
  commonName: example.com
  isCA: true
  usages: [...]
---
apiVersion: cert-manager.skyscanner.net/v1alpha1
kind: KMSIssuer
metadata:
  name: inter-ca-issuer
  namespace: default
spec:
  keyId: alias/inter-ca-key # The KMS key id or alias
  bootstrapCertificateRef:
    name: inter-ca-imported-cert
    kind: KMSImportedCertificate
    group: cert-manager.skyscanner.net

KMSImportedCertificate will have the CSR generated by the controller and stored in a CertificateRequest object. And when the cert is generated offline, it can be stored in its status.

Alternatively, bootstrapCertificateRef could reference an existing Certificate resource which is issued by some other issuer.

The spec of KMSImportedCertificate would be almost like Certificate but without the privateKey and secretName, and dnsNames/uris/ipAddresses are not relevant for an intermediate CA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant