You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
sorry if this place might not be the perfect fit for my question, but I couldn't find a better place, nor could I find an explicit answer to my question in RFC8555.
As far as I understood cert-manager's yaml schema so far, using an intermediate CA as Issuer or ClusterIssuer should be possible, see this example. However, I would like the Certificate with name: ca from that example itself not be issued by selfsigned-issuer as in the example, but instead be signed via ACME using some private ACME server.
Questions:
Is this even possible or does the RFC (or any other part of the required setup) only allow leaf certificates to be issued via ACME? As stated above, I couldn't find anything in the RFC. There's no mentioning of leaf- oder intermediate certificates there, so my wild guess would be that the ACME protocol doesn't care.
While the "ACME CA" which is signing the "cert-manager intermediate certificate" should already take care of this, it would still be good practice to limit the FQDNs which a cert-manager controlled intermediate CA may sign. Is it possible to add a Name Constraints extension to a Certificate definition?
Sorry again if this isn't the right place - in that case any hints on where to ask or where to find answers would be appreciated!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
sorry if this place might not be the perfect fit for my question, but I couldn't find a better place, nor could I find an explicit answer to my question in RFC8555.
As far as I understood cert-manager's yaml schema so far, using an intermediate CA as
IssuerorClusterIssuershould be possible, see this example. However, I would like theCertificatewithname: cafrom that example itself not be issued byselfsigned-issueras in the example, but instead be signed via ACME using some private ACME server.Questions:
Certificatedefinition?Sorry again if this isn't the right place - in that case any hints on where to ask or where to find answers would be appreciated!
Cheers
Alex
EDIT: Typo
Beta Was this translation helpful? Give feedback.
All reactions