1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
3 .. Copyright 2020 NOKIA
5 CMPv2 certificate provider
6 ==============================
9 ------------------------------
11 CMPv2 certificate provider is a part of certificate distribution infrastructure in ONAP.
12 The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.
14 Additional information can be found on a dedicated page: https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.
16 By default CMPv2 provider is **disabled**. To enable it set following global helm value:
18 - CMPv2CertManagerIntegration = true
21 ------------------------------
23 In order to be able to request a certificate via CMPv2 provider a *CMPv2Issuer* CRD (Customer Resource Definition) instance has to be created.
25 It is important to note that the attribute *kind* has to be set to **CMPv2Issuer**, all other attributes can be set as needed.
27 **NOTE: a default instance of CMPv2Issuer is created when installing ONAP via OOM deployment.**
29 Here is a definition of a *CMPv2Issuer* provided with ONAP installation:
33 apiVersion: certmanager.onap.org/v1
36 name: cmpv2-issuer-onap
39 url: https://oom-cert-service:8443
40 healthEndpoint: actuator/health
41 certEndpoint: v1/certificate
44 name: cmpv2-issuer-secret
45 certRef: cmpv2Issuer-cert.pem
46 keyRef: cmpv2Issuer-key.pem
51 ------------------------------
53 In order to request a certificate a K8s *Certificate* CRD (Custom Resource Definition) has to be created.
55 It is important that in the section issuerRef following attributes have those values:
57 - group: certmanager.onap.org
61 After *Certificate* CRD has been placed cert manager will send a *CSR* (Certificate Sign Request) to CA (Certificate Authority) via CMPv2 provider.
62 Signed certificate as well as trust anchor (CA root certificate) will be stored in the K8s *secret* specified in *Certificate* CRD (see secretName attribute).
64 By default certificates will be stored in PEM format. It is possible to get certificates also in JKS and P12 format - see example below - more information can be found on official cert manager page.
66 The following SANs types are supported: DNS names, IPs, URIs, emails.
68 Here is an example of a *Certificate*:
72 apiVersion: cert-manager.io/v1
75 name: certificate_name
78 # The secret name to store the signed certificate
79 secretName: secret_name
81 commonName: certissuer.onap.org
100 - onap://cluster.local/
103 # The reference to the CMPv2 issuer
105 group: certmanager.onap.org
107 name: cmpv2-issuer-onap
108 # Section keystores is optional and defines in which format certificates will be stored
109 # If this section is omitted than only PEM format will be present in the secret
113 passwordSecretRef: # Password used to encrypt the keystore
114 name: certservice-key
118 passwordSecretRef: # Password used to encrypt the keystore
119 name: certservice-key
123 Here is an example of generated *secret* containing certificates:
130 Annotations: cert-manager.io/alt-names: localhost,certissuer.onap.org
131 cert-manager.io/certificate-name: certificate_name
132 cert-manager.io/common-name: certissuer.onap.org
133 cert-manager.io/ip-sans:
134 cert-manager.io/issuer-group: certmanager.onap.org
135 cert-manager.io/issuer-kind: CMPv2Issuer
136 cert-manager.io/issuer-name: cmpv2-issuer-onap
137 cert-manager.io/uri-sans:
139 Type: kubernetes.io/tls
143 tls.crt: 1675 bytes <-- Certificate (PEM)
144 tls.key: 1679 bytes <-- Private Key (PEM)
145 truststore.jks: 1265 bytes <-- Trusted anchors (JKS)
146 ca.crt: 1692 bytes <-- Trusted anchors (PEM)
147 keystore.jks: 3786 bytes <-- Certificate and Private Key (JKS)
148 keystore.p12: 4047 bytes <-- Certificate and Private Key (P12)