Skip to main content
This section explains how to create the required PKI objects in CryptoHub for Kubernetes cert-manager to integrate. The process ensures that every TLS (Transport Layer Security) certificate request in Kubernetes is securely routed through CryptoHub’s approval workflow and signed by a designated certificate authority (CA) before being issued.

Create a PKI Signing Approval bucket to hold requests

Perform the following steps to create a PKI Signing Approval bucket to hold certificate requests:
1
Log in to the CryptoHub with your administrator identities.
2
Go to PKI and CA > PKI Signing Approvals.
3
Select [ Add Approval Group ].
4
Enter a Name for the approval group (e.g., Kubernetes) and select [ OK ].
5
Right-click the PKI Signing Approval bucket (i.e., Approval Group) you just created and select Permission.
6
Select the Kubernetes cert-manager role in the dropdown menu, then select [ Add ].
7
Grant the Use permission to the Kubernetes cert-manager role.
8
Select [ Save ].

Create an X.509 Certificate Container

Perform the following steps to create an X.509 certificate container:
1
Go to PKI and CA > Certificate Management.
2
Select [ Add CA ].
3
In the X.509 Certificate Container creation dialog, configure the following settings:
  • Name: Kubernetes cert-manager CA
  • Host: Select None.
  • Type: Select X.509.
  • Owner group: Select the Kubernetes cert-manager role CryptoHub created for the service.

Generate the CA certificates

Perform the following steps to generate a self-signed root CA and an issuing CA:
1
Right-click the Kubernetes cert-manager CA X.509 certificate container and select Add Certificate > New Certificate.
2
Configure the following Subject DN settings:
  • Preset: Select Classic.
  • Common Name: Root
3
Configure the following Basic Info settings:
  • Change the key Size to 4096.
  • Leave all other fields set to the default values.
4
Configure the following V3 Extensions settings:
  • Profile: Select Certificate Authority.
5
Select [ OK ] to generate the certificate.
6
Right-click the Root certificate and select Add Certificate > New Certificate.
7
Repeat steps 5–8 to create an Issuing CA certificate under the Root CA certificate.

Apply an Issuance Policy to the Issuing CA certificate

Perform the following steps to apply an issuance policy to the Issuing CA certificate:
1
Right-click the Kubernetes Issuing CA certificate and select Issuance Policy > Add.
2
Configure the following Basic Info settings:
  • Alias: tls-signing
  • Approvals: Set the number of required approvals per your organization’s requirements. In the
Validate and test section, it is set to1 approver for demo purposes.
3
Configure the following X.509 settings:
  • Enable the following configurations:
    • Allow CSR uploads
    • Allow renewals
    • Allow PKI generation
    • Save certificate
    • Allow self approval
    • Allow S/MIME issuance.
  • Default approval group: Select the PKI Signing Approval group you just created.
  • Extension Profiles: Add the TLS Certificate profile.
4
Select [ OK ] to save and apply the issuance policy you have configured.

Allow User-Defined Parameters for the TLS Certificate Template

Perform the following steps to allow user-defined parameters for the TLS Certificate template.
1
Go to PKI and CA > Certificate Templates.
2
Right-click the TLS Certificate template and select Edit.
3
Select the Allow User-Defined Extensions checkbox to enable.
4
Select [ OK ] to save the changes.