Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes how to use Certbot and Kubernetes cert-manager as ACME clients with Smart ID Certificate Manager (CM). 


Expand/Collapse All

Examples using Certbot

Values used in this example that you need to replace to different in your setup:

ParameterExample valueDescription
--serverhttps://host.example.com/pgwy/acme/directoryThis URL points to the Protocol Gateway installation that should act as ACME server.
--emailca-admin@example.com

Change to a valid email adress for your organisation

--eab-kidkeyID: "1"The pre-registration keyid described in Example: ACME configuration in Protocol Gateway
--eab-hmac-key

lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk 

The pre-registration hmac-key described in Example: ACME configuration in Protocol Gateway

This is an example of using the certbot client to issue a single certificate from Protocol Gateway and CM.

Example using certbot
certbot certonly \
--agree-tos \
--email ca-admin@example.com \
--domain example.com \
--server https://host.example.com/pgwy/acme/directory

This is an example of using the certbot client to issue a single certificate from Protocol Gateway and CM.

Example using certbot
certbot certonly \
     --agree-tos \
     --email ca-admin@example.com \
     --domain example.com \
     --server https://host.example.com/pgwy/acme/directory \
     --eab-kid certbot-kid-1 \
     --eab-hmac-key lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk

Example using Kubernetes.io and Cert-manager.io 

This example is based on the documentation here: https://cert-manager.io/docs/configuration/acme/ 

The CM installation and the Kubernetes cluster need to have connectivity with each other and an Ingress handler should be installed on the Kubernetes cluster. This example will use traefik. That requirement is needed for the ACME HTTP01 solver, if no such network connection is possible but the CM install could reach the DNS server you can use the DNS01 solver instead, read https://cert-manager.io/docs/configuration/acme/dns01/ for more information.

The following prerequisites apply for this example:

Example: ACME configuration in Protocol Gateway

Values used in this example that you need to replace to different in your setup:

ParameterExample valueDescription
serverhttps://host.example.com/pgwy/acme/directoryThis URL points to the Protocol Gateway installation that should act as ACME server.
emailca-admin@example.com

Change to a valid email adress for your organisation

nametest-demo-cm.example.comExample DNS name that a certificate shall be issued to.
keyIDkeyID: "1"The pre-registration keyid described in Example: ACME configuration in Protocol Gateway.
secret

lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk 

The pre-registration hmac-key described in Example: ACME configuration in Protocol Gateway.

Before certificates can be created with cert-manager, there must be a connection between cert-manager and CM. To set up the connection, a ClusterIssuer must be created. In this example, a ClusterIssuer is set up with a pre-registration key and HTTP solver based on: https://cert-manager.io/docs/configuration/acme/. To setup the ClusterIssuer is a system admin task and we use the cert-manager namespace and use another namespace for the "user" certificates in later steps. 

To set up connection between cert-manager and Smart ID Certificate Manager:

  1. Change to the namespace of that cert-manager is installed in. 

    Change default namespace
    kubectl config set-context --current --namespace=cert-manager
  2. In Kubernetes all sensitive information should be stored in secrets, this example creates a secret with the pre-registration key. 

    Create secret with pre-registration key
    kubectl create secret generic demo-cm-id1 --from-literal secret=lMA3WzMn5SPZZo1_I1_sa1DQESG4T2-2kV8WaFX7GCk
  3. Create a file called clusterissuer.yaml with the following information.  Change the keyID "1" in line 11,14, and 16 to the your local keyID and the secret in line 14 to the secret created in the step aboe. The secret in line 16 need to be unique secret per ClusterIssuer. Change url to Protocol Gateway in lin 17, and ingress class in line 22. The skipTLSVerify: true on line 18 is required if your CM Protocol Gateway installation is not running with a certificate trusted by the cert-manager.io (ie public certificate)

    clusterissuer.yaml
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: demo-cm-id1
      namespace: cert-manager
    spec:
      acme:
        email: ca-admin@example.com
        externalAccountBinding:
          keyAlgorithm: HS256
          keyID: "1"
          keySecretRef:
            key: secret
            name: demo-cm-id1
        privateKeySecretRef:
          name: demo-cm-id1-private-key
        server: https://host.example.com/pgwy/acme/directory
        skipTLSVerify: true
        solvers:
        - http01:
            ingress:
              class: traefik 
  4. Create the ClusterIssuer by running the command: 

    Create ClusterIssuer
    kubectl create -f clusterissuer.yaml
  5. To show the details on the ClusterIssuer run this command:

    Example: Show information
    kubectl describe clusterissuer demo-cm-id1

    A sample output below, the important part is the status type in the end, showing that it's Ready, eq working. 

    Example output
    Name:         demo-cm-id1
    Namespace:
    Labels:       <none>
    Annotations:  <none>
    API Version:  cert-manager.io/v1
    Kind:         ClusterIssuer
    Metadata:
      Creation Timestamp:  2020-09-08T09:02:26Z
      Generation:          1
      Resource Version:    24444944
      Self Link:           /apis/cert-manager.io/v1/clusterissuers/demo-cm-id1
      UID:                 554262b6-7678-4960-9e2b-5acf7923eecc
    Spec:
      Acme:
        Email:  ca-admin@example.com
        External Account Binding:
          Key Algorithm:  HS256
          Key ID:         1
          Key Secret Ref:
            Key:          secret
            Name:         demo-cm-id1
        Preferred Chain:
        Private Key Secret Ref:
          Name:           demo-cm-private-key
        Server:           https://host.example.com/pgwy/acme/directory
        Skip TLS Verify:  true
        Solvers:
          http01:
            Ingress:
              Class:  traefik
    Status:
      Acme:
        Last Registered Email:  ca-admin@example.com
        Uri:                    https://host.example.com/pgwy/acme/directory/account/6RqONO6qnQXsLnyDjVcuTA
      Conditions:
        Last Transition Time:  2020-09-08T09:02:30Z
        Message:               The ACME account was registered with the ACME server
        Reason:                ACMEAccountRegistered
        Status:                True
        Type:                  Ready
    Events:                    <none>
    

The next step is to issue a certificate which can be used inside Kubernetes. This example is based on: https://cert-manager.io/docs/usage/certificate/:

  1. Create a new namespace, as part of the Kubernetes cluster, and change so that namespace is default

    Example: Create new namespace
    kubectl create namespace demo
    kubectl config set-context --current --namespace=demo
  2. Create a file called certificate.yaml with the following information. Change to the your local dnsNames (line 7) and ClusterIssuer (line 11).

    Example: certificate.yaml
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: test-demo-cm
    spec:
      dnsNames:
      - test-demo-cm.demo.com
      issuerRef:
        group: cert-manager.io
        kind: ClusterIssuer
        name: demo-cm-id1
      secretName: test-demo-cm
  3. Create the certificate object:

    Example: Create certificate
    kubectl create -f certificate.yaml


  4. When the certificate object is created, you can check the status by running the following command.
    The sample below is from 12 seconds after the certificate object is created, and the certificate is not yet valid (line 29-30). 

    Example: Check status of certificate (non-ready)
    kubectl describe certificate.cert-manager.io/test-demo-cm
    Name:         test-demo-cm
    Namespace:    demo
    Labels:       <none>
    Annotations:  <none>
    API Version:  cert-manager.io/v1
    Kind:         Certificate
    Metadata:
      Creation Timestamp:  2020-09-09T07:43:11Z
      Generation:          1
      Resource Version:    24662332
      Self Link:           /apis/cert-manager.io/v1/namespaces/mikan-cm/certificates/test-demo-cm
      UID:                 4c48b373-9f58-4015-b046-18ee74dd4191
    Spec:
      Dns Names:
        test-demo-cm.demo.com
      Issuer Ref:
        Group:      cert-manager.io
        Kind:       ClusterIssuer
        Name:       demo-cm
      Secret Name:  test-demo-cm
    Status:
      Conditions:
        Last Transition Time:        2020-09-09T07:43:11Z
        Message:                     Certificate expired on Wed, 09 Sep 2020 05:47:14 UTC
        Reason:                      Expired
        Status:                      False
        Type:                        Ready
        Last Transition Time:        2020-09-09T07:43:12Z
        Message:                     Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC
        Reason:                      Renewing
        Status:                      True
        Type:                        Issuing
      Next Private Key Secret Name:  test-demo-cm-p5t8b
      Not After:                     2020-09-09T05:47:14Z
      Not Before:                    2020-09-09T05:37:14Z
      Renewal Time:                  2020-09-09T05:43:54Z
    Events:
      Type    Reason     Age   From          Message
      ----    ------     ----  ----          -------
      Normal  Issuing    12s   cert-manager  Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC
      Normal  Reused     12s   cert-manager  Reusing private key stored in existing Secret resource "test-demo-cm"
      Normal  Requested  12s   cert-manager  Created new CertificateRequest resource "test-demo-cm-4qxvv"
  5. You can now follow the ACME protocol flow by running the describe command on multiple cert-manager objects. See a sample flow below.
    For more information, see https://cert-manager.io/docs/concepts/acme-orders-challenges/

    Example: Cert-manager ACME flow
    $ kubectl describe certificaterequest test-demo-cm-4qxvv
    Name:         test-demo-cm-4qxvv
    Namespace:    demo
    Labels:       <none>
    Annotations:  cert-manager.io/certificate-name: test-demo-cm
                  cert-manager.io/certificate-revision: 1
                  cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b
    API Version:  cert-manager.io/v1
    Kind:         CertificateRequest
    Metadata:
      Creation Timestamp:  2020-09-09T07:43:12Z
      Generate Name:       test-demo-cm-
      Generation:          1
      Owner References:
        API Version:           cert-manager.io/v1
        Block Owner Deletion:  true
        Controller:            true
        Kind:                  Certificate
        Name:                  test-demo-cm
        UID:                   4c48b373-9f58-4015-b046-18ee74dd4191
      Resource Version:        24662343
      Self Link:               /apis/cert-manager.io/v1/namespaces/demo/certificaterequests/test-demo-cm-4qxvv
      UID:                     db9eaaaa-36d9-481c-a9c3-4f0d0c339de4
    Spec:
      Issuer Ref:
        Group:  cert-manager.io
        Kind:   ClusterIssuer
        Name:   demo-cm
      Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
    Status:
      Conditions:
        Last Transition Time:  2020-09-09T07:43:12Z
        Message:               Waiting on certificate issuance from order demo/test-demo-cm-4qxvv-1625194031: "pending"
        Reason:                Pending
        Status:                False
        Type:                  Ready
    Events:
      Type    Reason        Age   From          Message
      ----    ------        ----  ----          -------
      Normal  OrderCreated  22s   cert-manager  Created Order resource demo/test-demo-cm-4qxvv-1625194031
    $ kubectl describe order test-demo-cm-4qxvv-1625194031
    Name:         test-demo-cm-4qxvv-1625194031
    Namespace:    demo
    Labels:       <none>
    Annotations:  cert-manager.io/certificate-name: test-demo-cm
                  cert-manager.io/certificate-revision: 1
                  cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b
    API Version:  acme.cert-manager.io/v1
    Kind:         Order
    Metadata:
      Creation Timestamp:  2020-09-09T07:43:12Z
      Generation:          1
      Owner References:
        API Version:           cert-manager.io/v1
        Block Owner Deletion:  true
        Controller:            true
        Kind:                  CertificateRequest
        Name:                  test-demo-cm-4qxvv
        UID:                   db9eaaaa-36d9-481c-a9c3-4f0d0c339de4
      Resource Version:        24662344
      Self Link:               /apis/acme.cert-manager.io/v1/namespaces/demo/orders/test-demo-cm-4qxvv-1625194031
      UID:                     c569526a-37ff-4ccc-a18b-8f5dcba5f2ef
    Spec:
      Dns Names:
        test-demo-cm.demo.com
      Issuer Ref:
        Group:  cert-manager.io
        Kind:   ClusterIssuer
        Name:   demo-cm
      Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
    Status:
      Authorizations:
        Challenges:
          Token:        AAbLo32puww081z5oKhzxg
          Type:         dns-01
          URL:          https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/dns-01
          Token:        AAbLo32puww081z5oKhzxg
          Type:         http-01
          URL:          https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/http-01
        Identifier:     test-demo-cm.demo.com
        Initial State:  pending
        URL:            https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ
        Wildcard:       false
      Finalize URL:     https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/finalize
      State:            pending
      URL:              https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg
    Events:
      Type    Reason   Age   From          Message
      ----    ------   ----  ----          -------
      Normal  Created  53s   cert-manager  Created Challenge resource "test-demo-cm-4qxvv-1625194031-543829935" for domain "test-demo-cm.demo.com"
    $ kubectl describe order test-demo-cm-4qxvv-1625194031
    Name:         test-demo-cm-4qxvv-1625194031
    Namespace:    demo
    Labels:       <none>
    Annotations:  cert-manager.io/certificate-name: test-demo-cm
                  cert-manager.io/certificate-revision: 1
                  cert-manager.io/private-key-secret-name: test-demo-cm-p5t8b
    API Version:  acme.cert-manager.io/v1
    Kind:         Order
    Metadata:
      Creation Timestamp:  2020-09-09T07:43:12Z
      Generation:          1
      Owner References:
        API Version:           cert-manager.io/v1
        Block Owner Deletion:  true
        Controller:            true
        Kind:                  CertificateRequest
        Name:                  test-demo-cm-4qxvv
        UID:                   db9eaaaa-36d9-481c-a9c3-4f0d0c339de4
      Resource Version:        24662551
      Self Link:               /apis/acme.cert-manager.io/v1/namespaces/demo/orders/test-demo-cm-4qxvv-1625194031
      UID:                     c569526a-37ff-4ccc-a18b-8f5dcba5f2ef
    Spec:
      Dns Names:
        test-demo-cm.demo.com
      Issuer Ref:
        Group:  cert-manager.io
        Kind:   ClusterIssuer
        Name:   demo-cm
      Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ3BqQ0NBWTRDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwrQQp3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0aG9BR29oTnpzM3h4ClNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGR2Mmp2MEU0Ky9OL3IKMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTC9FSlF4bUQvTnF3cwpQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwY0NiSTBXZ2czRXZ2Cm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQ0bVh6WDY4S1VWNVoKR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFCaE1GOEdDU3FHU0liM0RRRUpEakZTTUZBd05nWURWUjBSQkM4dwpMWUlyZEdWemRDMWtaVzF2TFdOdE1UTTNMbTFwYTJGdUxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFMCkJnTlZIUThFQkFNQ0JhQXdDUVlEVlIwbEJBSXdBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZHgybWdJTjQKUkM2V2VpVmpMSWluN2xZR2Y1QVM0SndGT2VhNHB3ZVNFMndQaWptNUNMMWdsYnpHbUhSVmE1cW12bmVodEFubApOUzZWNi9ReHVMdGxPTXptdFJENElYSFA0SWpDRVpFdm1WeVpydGZzL1BiQXFSaXo1bU9xOFIraDFMTWpSZmp2CjRoTUxjRC9xdWE5dm5JUHNtZjZ5blpHL1Q0RHcxZzd1UGcya2lrWDhZeE5zTEF2c3JSQ0xLcjZYRXNwOUY3eE4KZy9BSGk5ZG5pdVRoVG9OUXJUeHRldE96WnE2eTV1MU44VG5pMFhyL2hmRFNkSXlNMFpqNjJXUDFpNyt3ek0vRQpFazEzdy9yMEZZU21zYnBPSlVGekFFYUVKalFGRVc4OUR1Y29LVmlHMVB4K25iUWp1M1hYWGZMQ3g5M0xtOXFNCkZSQk1uclMzN0ZMeUZBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
    Status:
      Authorizations:
        Challenges:
          Token:        AAbLo32puww081z5oKhzxg
          Type:         dns-01
          URL:          https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/dns-01
          Token:        AAbLo32puww081z5oKhzxg
          Type:         http-01
          URL:          https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ/http-01
        Identifier:     test-demo-cm.demo.com
        Initial State:  pending
        URL:            https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/authz/4aaWKMpvYD90KI-s_C7JXQ
        Wildcard:       false
      Certificate:      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpRENDQW5DZ0F3SUJBZ0lRUUF4ZDNneXBGVWZQZElZU0RDeFhFREFOQmdrcWhraUc5dzBCQVFzRkFEQk8KTVFzd0NRWURWUVFHRXdKVFJ6RWRNQnNHQTFVRUNoTVVUbVY0ZFhNZ1ZHVnpkQ0JUWlhSMWNDQTRMakl4SURBZQpCZ05WQkFNVEYwNWxlSFZ6SUZSbGMzUWdVMlYwZFhBZ09DNHlJRU5CTUI0WERUSXdNRGt3T1RBM05EUXhObG9YCkRUSXdNRGt3T1RBM05UUXhObG93TmpFME1ESUdBMVVFQXhNcmRHVnpkQzFrWlcxdkxXTnRNVE0zTG0xcGEyRnUKTFdOdExtMXpaR1YyTG1GNkxtNTRjMkZ6TG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQwpBUW9DZ2dFQkFMK0F3eFJkdWZoZE1hUDlVZDNkQ3hhd0paczZwOTQvMGNGV1hyaG02a3FTcVZSdW51SGp2NGl0CmhvQUdvaE56czN4eFNkUUV4OWgyaVRhSUoxWUhNbmNRZXE0VXJhNUhkOE1mTVk3ZFMxNUF4Yk5XMnh3c2oyUGQKdjJqdjBFNCsvTi9yMzgzaGlkOVFCOGF6Qi9WN09VeEtVajlONEhQVjFLMVFoYXQya2VyQVBrdHlaNy9HOGdCTAovRUpReG1EL05xd3NQREZzRkJiczBrVjd1anNqN3YrQXVlODFpNi9vYWtnajhqMzN6ZlZsRmZIeWphZFZuWFlwCmNDYkkwV2dnM0V2dm1xWEovMFBlS3VQamN4bjh5VG00RUVURUk1RzBROWprcFo1NXk4TFVHU25NcndwVDJhYWQKNG1Yelg2OEtVVjVaR1RpQkhZdmF5TTgyeEVOQWxrTUNBd0VBQWFONk1IZ3dDUVlEVlIwbEJBSXdBREFSQmdOVgpIUTRFQ2dRSVN6Z21uMzVuV244d05nWURWUjBSQkM4d0xZSXJkR1Z6ZEMxa1pXMXZMV050TVRNM0xtMXBhMkZ1CkxXTnRMbTF6WkdWMkxtRjZMbTU0YzJGekxtTnZiVEFUQmdOVkhTTUVEREFLZ0FoTUxnRkpBRzM0ZVRBTEJnTlYKSFE4RUJBTUNCYUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUF6Z1N4b0wwakJQSWR4OHhVUjVVUThRZlY1ZApSRVBGcWt1NlYrZzgyamdmb3UrNVFjbVFEWkljenA3WjM2ak1oTzJSYlliSUdGUll3c3RsNTRIa003TVE0d1ZnCmhjSDRrTDNQWGF0TG1OSzV4elY0TGtIb05TVys1Wk44T2JWNnVTSkhnd2lrWktrNXZyVzVVeW5aYkxXSWZDQ0YKTENLcm5wVUZzK09PR0kxNGFSYlpzZVdBb0M0WVhvMGlNcDZsYlA2bDNOR0dkUHQ2KytERnN3MjRZZmE1NDlzVgpZWXViZDJDTnNHTy94ckdkN1JKU3VZdTJ2UVJRdGw3TzBnL05hZHJjZEZjOVRyUkxWdVJiTGx0dGFFTm4zeSsxCkg1TEJCRGlMQkxJbUhpZmp4SmlCTnJJdVRUVTRkNW5ZcTlHM0RpeXY0Wnd4eHY0NmpQSjZoWUVyYnhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlEWERDQ0FrU2dBd0lCQWdJUVZiamlkckhLM3B0MjdpVVhoYmpiampBTkJna3Foa2lHOXcwQkFRc0ZBREJPCk1Rc3dDUVlEVlFRR0V3SlRSekVkTUJzR0ExVUVDaE1VVG1WNGRYTWdWR1Z6ZENCVFpYUjFjQ0E0TGpJeElEQWUKQmdOVkJBTVRGMDVsZUhWeklGUmxjM1FnVTJWMGRYQWdPQzR5SUVOQk1CNFhEVEl3TURReU56QTVORGN3TkZvWApEVE13TURReU56QTVORGN3TkZvd1RqRUxNQWtHQTFVRUJoTUNVMGN4SFRBYkJnTlZCQW9URkU1bGVIVnpJRlJsCmMzUWdVMlYwZFhBZ09DNHlNU0F3SGdZRFZRUURFeGRPWlhoMWN5QlVaWE4wSUZObGRIVndJRGd1TWlCRFFUQ0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLQmhGMHdCTHpLMjJ1dlZGS3k2UzBJbQpUNEliQWk0NE9iOVVMZG9EanV5cExrUURMcjlON001U2pzVDZ2eTNmb1RYb21sMFY1Wis5OE9mbTJzVUE2d2dqCnFiQWptRUg3OVorSFpyWUdpQ1daZkxwSGJJQWdsaGdGQ3dTTUNma3pTMnRxOHRNeVYvZFNIK1I5aGJJdUFSSmEKcllybEhwNm9heldvRzkxN1RuL0oxUFBzdUoyZ0d1eEt5VWhWcEdEc3E2V1NvNTBYZUlXRHNxZ1NxRHI1SzFabwpZekIyYkp3MUttK2VibllURi9kYXBLa2ZtV3lEOHBqV1ZMbzU0YjJVMEpWa1BLRUtBcU1qTFZFcUdycldHYTFjCkttN0VqcnFlT1JKbm9UZjNaSG50S21zMXJCVUFXVkp6NnhwRW5oNDBteTJ3amw4a3czRW5pRW41WVBIV3gwRUMKQXdFQUFhTTJNRFF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFSQmdOVkhRNEVDZ1FJVEM0QlNRQnQrSGt3RGdZRApWUjBQQVFIL0JBUURBZ0VHTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDYjRBSTVMbFlLbyswTC81RU1DeTd5CjJKa0hKRzVDSUV4bWErakEwN3ZydjkySXYwQUFBejVQZTBUcnhHQzNTWFdsK1lJZmNJbGlEZExJNEZZaXRNWlUKemhiQ0Jwdys2MXpLenVHdmwycTZWMjd6SjNuZDRWenpKajhGN2NpUWprbU5XeG42bG1VSVVITkxYNGNUVmZSMApyNmdQa0pkeTJ2V2xFUVd2QlZxOEdveW82Mk1kdjBScXJSdlZxbkJxRWl2clVWcytqMkl1MEtHY2tPSmNPL0QxCjRPNHlvTUxCTTR5LzBkY0dlU2xGQk5EbmpUU3g3OTkwZHhqNEh6UGZtRTBvYXROQiszVVRER2lOSUsya0lCOHIKYjJid1NMektiYmFTaktkcGhWV2N1ZnBCanM3MGFXSk5Kd0x4MlZOVnRqWVVHMU9TRHBsTW5kbVNXNndaaThLMgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
      Finalize URL:     https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg/finalize
      State:            valid
      URL:              https://host.example.com/pgwy/acme/directory/orders/c5IfVCbmZGNmVzKmJdiLvg
    Events:
      Type    Reason    Age   From          Message
      ----    ------    ----  ----          -------
      Normal  Created   99s   cert-manager  Created Challenge resource "test-demo-cm-4qxvv-1625194031-543829935" for domain "test-demo-cm.demo.com"
      Normal  Complete  35s   cert-manager  Order completed successfully
  6. After around a minute, the certificate should be ready. Most of the time is spent on Kubernetes' side, to setup the HTTP01 solver. In the sample output, look for the following information: 
    Status: True and Type: Ready (line 28-29) indicates that the certificate is ready.
    In Events, you can see that the certificate has been renewed after around 8 minutes.

    Example: Check status of certificate (ready)
    kubectl describe certificate.cert-manager.io/test-demo-cm
    Name:         test-demo-cm
    Namespace:    demo
    Labels:       <none>
    Annotations:  <none>
    API Version:  cert-manager.io/v1
    Kind:         Certificate
    Metadata:
      Creation Timestamp:  2020-09-09T07:43:11Z
      Generation:          1
      Resource Version:    24663796
      Self Link:           /apis/cert-manager.io/v1/namespaces/demo/certificates/test-demo-cm
      UID:                 4c48b373-9f58-4015-b046-18ee74dd4191
    Spec:
      Dns Names:
        test-demo-cm.demo.com
      Issuer Ref:
        Group:      cert-manager.io
        Kind:       ClusterIssuer
        Name:       demo-cm
      Secret Name:  test-demo-cm
    Status:
      Conditions:
        Last Transition Time:  2020-09-09T07:44:17Z
        Message:               Certificate is up to date and has not expired
        Reason:                Ready
        Status:                True
        Type:                  Ready
      Not After:               2020-09-09T08:01:59Z
      Not Before:              2020-09-09T07:51:59Z
      Renewal Time:            2020-09-09T07:58:39Z
      Revision:                2
    Events:
      Type    Reason     Age                   From          Message
      ----    ------     ----                  ----          -------
      Normal  Issuing    9m36s                 cert-manager  Renewing certificate as renewal was scheduled at 2020-09-09 05:43:54 +0000 UTC
      Normal  Requested  9m36s                 cert-manager  Created new CertificateRequest resource "test-demo-cm-4qxvv"
      Normal  Reused     112s (x2 over 9m36s)  cert-manager  Reusing private key stored in existing Secret resource "test-demo-cm"
      Normal  Issuing    112s                  cert-manager  Renewing certificate as renewal was scheduled at 2020-09-09 07:50:56 +0000 UTC
      Normal  Requested  112s                  cert-manager  Created new CertificateRequest resource "test-demo-cm-k9zxc"
      Normal  Issuing    48s (x2 over 8m31s)   cert-manager  The certificate has been successfully issued
  7. You can also check the secret that contains the actual certificate by using: 

    Check secret
    kubectl describe secret test-demo-cm
    Name:         test-demo-cm
    Namespace:    demo
    Labels:       <none>
    Annotations:  cert-manager.io/alt-names: test-demo-cm.demo.com
                  cert-manager.io/certificate-name: test-demo-cm
                  cert-manager.io/common-name: test-demo-cm.demo.com
                  cert-manager.io/ip-sans:
                  cert-manager.io/issuer-group: cert-manager.io
                  cert-manager.io/issuer-kind: ClusterIssuer
                  cert-manager.io/issuer-name: demo-cm
                  cert-manager.io/uri-sans:Type:  kubernetes.io/tlsData
    ====
    tls.crt:  2509 bytes
    tls.key:  1675 bytes

CI/CD tool integration based on ACME clients

For continuous integration and continuous delivery tools (CI/CD tools) integration based on ACME clients, see the links for information: