Refreshing leaf certificates

Certificate chains in cert-manager follow the structure of:

Issuer -> Certificate -> Issuer -> Certificate

A Certificate can be a CA certificate by specifying isCA: true in the Certificate spec section of the yaml file. By default, when a CA certificate is renewed, any downstream or leaf certificates signed by it are not renewed or refreshed. The cert-manager-operator provides an opt-in feature that will automatically refresh leaf certificates when its CA certificate is renewed.

To opt in:

1. Add the following label to the Certificate metadata, ibm-cert-manager-operator/refresh-ca-chain: "true". For example:

   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     labels:
       ibm-cert-manager-operator/refresh-ca-chain: "true"
     name: example-ca-certificate
   spec:
     secretName: example-ca-certificate-secret
     issuerRef:
       name: example-issuer
       kind: Issuer
     commonName: example-ca-certificate
     isCA: true
   

Refreshing leaf certificates based on secret

In cases where the start of the Certificate chain is from a Kubernetes secret:

Secret -> Issuer -> Certificate

It is still possible to opt in for leaf certificate refresh. Possible use cases for such a structure are as follows:

• User-provided secret, which contain a certificate
• Copying a Certificate secret from another namespace

To opt in:

1. Add the following label to the Secret metadata, ibm-cert-manager-operator/refresh-ca-chain: "true". For example:

   apiVersion: v1
   kind: Secret
   metadata:
     labels:
       ibm-cert-manager-operator/refresh-ca-chain: "true"
     name: example-ca-secret
   type: kubernetes.io/tls
   data:
     ca.crt: <certificate>
     tls.crt: <certificate>
     tls.key: <private key>