Skip to content

Commit a8d95de

Browse files
cert-manager-prow[bot]cert-manager-prow[bot]
authored
Merge pull request #1739 from SgtCoDFish/ocspservers
Document ocspServers parameter for CA issuers
2 parents ba19064 + 0bbdb42 commit a8d95de

File tree

2 files changed

+21
-11
lines changed

2 files changed

+21
-11
lines changed

.spelling

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -861,3 +861,4 @@ tls-acme
861861
uri-sans
862862
venafi.cert
863863
x509
864+
CRLs

content/docs/configuration/ca.md

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -73,17 +73,6 @@ spec:
7373
secretName: ca-key-pair
7474
```
7575

76-
Optionally, you can specify [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) Distribution Points; an array of strings each of which identifies the location of the CRL from which the revocation of this certificate can be checked.
77-
78-
```yaml
79-
...
80-
spec:
81-
ca:
82-
secretName: ca-key-pair
83-
crlDistributionPoints:
84-
- "http://example.com"
85-
```
86-
8776
Once deployed, you can then check that the issuer has been successfully
8877
configured by checking the ready status of the certificate. Replace `issuers`
8978
here with `clusterissuers` if that is what has been deployed.
@@ -97,6 +86,26 @@ ca-issuer True Signing CA verified 2m
9786
Certificates are now ready to be requested by using the CA `Issuer` named
9887
`ca-issuer` within the `sandbox` namespace.
9988

89+
### Revocation Sources
90+
91+
Optionally, you can specify [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) Distribution Points or [OCSP servers](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)
92+
for the CA issuer, to enable clients to check the revocation status of certificates issued by this CA.
93+
94+
These are arrays of strings which give the location from which either a CRL or an OCSP response can be retrieved, respectively. The CA issuer will then include these in the issued certificates.
95+
96+
```yaml
97+
...
98+
spec:
99+
ca:
100+
secretName: ca-key-pair
101+
crlDistributionPoints:
102+
- "http://example.com/my.crl"
103+
ocspServers:
104+
- "http://ocsp.example.com"
105+
```
106+
107+
Note that cert-manager has no support for generating or maintaining CRLs or OCSP responses; these sources must be provided by the operator of the CA issuer.
108+
100109
## Important Information
101110

102111
The CA issuer is lightweight and is intended for experienced cluster operators who understand

0 commit comments

Comments
 (0)