Create PKI objects on CryptoHub to support the Kubernetes cert-manager integration

this section explains how to create the required pki objects in {{ch}} for kubernetes cert manager to integrate the process ensures that every tls (transport layer security) certificate request in kubernetes is securely routed through cryptohub’s approval workflow and signed by a designated certificate authority (ca) before being issued create a pki signing approval bucket to hold requests perform the following steps to create a pki signing approval bucket to hold certificate requests log in to the cryptohub with your administrator identities go to pki and ca > pki signing approvals select \[ add approval group ] enter a name for the approval group (e g , kubernetes ) and select \[ ok ] right click the pki signing approval bucket (i e , approval group) you just created and select permission select the kubernetes cert manager role in the dropdown menu, then select \[ add ] grant the use permission to the kubernetes cert manager role select \[ save ] create an x 509 certificate container perform the following steps to create an x 509 certificate container go to pki and ca > certificate management select \[ add ca ] in the x 509 certificate container creation dialog, configure the following settings name kubernetes cert manager ca host select none type select x 509 owner group select the kubernetes cert manager role cryptohub created for the service generate the ca certificates perform the following steps to generate a self signed root ca and an issuing ca right click the kubernetes cert manager ca x 509 certificate container and select add certificate > new certificate configure the following subject dn settings preset select classic common name root configure the following basic info settings change the key size to 4096 leave all other fields set to the default values configure the following v3 extensions settings profile select certificate authority select \[ ok ] to generate the certificate right click the root certificate and select add certificate > new certificate repeat steps 5–8 to create an issuing ca certificate under the root ca certificate apply an issuance policy to the issuing ca certificate perform the following steps to apply an issuance policy to the issuing ca certificate right click the kubernetes issuing ca certificate and select issuance policy > add configure the following basic info settings alias tls signing approvals set the number of required approvals per your organization's requirements in the docid\ zzqtgffqd8zcdr9cyodl section, it is set to 1 approver for demo purposes configure the following x 509 settings enable the following configurations allow csr uploads allow renewals allow pki generation save certificate allow self approval allow s/mime issuance default approval group select the pki signing approval group you just created extension profiles add the tls certificate profile select \[ ok ] to save and apply the issuance policy you have configured allow user defined parameters for the tls certificate template perform the following steps to allow user defined parameters for the tls certificate template go to pki and ca > certificate templates right click the tls certificate template and select edit select the allow user defined extensions checkbox to enable select \[ ok ] to save the changes