How can I manage my ssl certificate (not CA certificate) via cert-manager？

[rysinal]

Is your feature request related to a problem? Please describe.

I import my ssl certificate to ClusterIssuer through CA, and then automatically generate tls secret through ingress annotations

cert-manager.io/cluster-issuer: my-issuer

i got an error for Error getting keypair for CA issuer: certificate is not a CA, my ssl certificate

Describe the solution you'd like

I apply for several different sets of wildcard ssl certificates (non-CA certificates, non-self-issued certificates) and I want to automate the creation (or copying) of my ssl certificate for secret to the current namespace by Annotation it in ingress, this allows me to automate the creation of the corresponding wildcard certificate secret key depending on the annotation, so I can maintain and update my ssl certificates under all namespaces through the upstream ClusterIssuer, looking forward to your reply.

Describe alternatives you've considered

Additional context

Environment details (remove if not applicable):

• Kubernetes version: v1.19.8
• Cloud-provider/provisioner:
• cert-manager version: v1.7.1
• Install method: helm

/kind feature

[SgtCoDFish]

Thanks for raising an issue!

I think this issue is a little confused when it comes to terminology. I'll use the terms in this FAQ on our website.

When you say you have "wildcard ssl certificates", I take that to mean you have leaf certificates. You wouldn't put those into a ClusterIssuer, which is designed to be able to issue other certificates and would require a root or intermediate cert.

If you're requesting the certs manually then I'm not sure where cert-manager would be involved? Maybe we need more detail here.