INFO: Cert-Manager and Certificate Policy Values

Applies To:

All Certificate requests from Cert-Manager to Venafi as an Issuer


When requesting a certificate from Cert-Manager, you reference a specific policy folder you would like your certificates to be stored. You set this policy or "zone" for each issuer within your Cert-Manager Instance as shown below:


The referenced "zone" underlined above: "Certificates\cert-manager maps to Policy\Certificates\cert-manager" is a specific policy folder within TPP. Cert-Manager refers to this as a "zone", but Venafi refers to this as "policy".

The referenced policy, in this case, Certificates/Cert-Manager, may have locked policy values that may affect your successful CSR submission from Cert-Manager. Below are some explanations of certificate policy values and how their settings might affect certificate requests coming from Cert-Manager.


More Info:

Cert-Manager utilizes vcert which is a command line utility designed to simplify key generation and enrollment of machine identities. As such, you can visit the github site of vcert and view the "Prerequisites for using with Trust Protection Platform" section there. This has similar guidelines to what is found here. This offers additional context.


To better understand locked and unlocked policy values, please refer to the tpp documentation on locked policy values.

For reference, we are going to be showing the Certificates/Cert-Manager policy folder and it's available settings, as that is the location referenced by our Cert-Manager Issuer above.



1. General Information

These settings won't affect the success or failure of a certificate request from Cert-Manager. These are Venafi specific settings that correlate with notification rules, logging, management and workflow. 



2. CSR Handling Policy Settings

CSR Generation: There are two types of Certificate Signing Request (CSR) generation within Venafi: Service Generated, and User Provided. Service Generated means that Venafi generates the CSR based on the values provided during a Certificate Object Creation. User Provided means that the CSR is provided by the user or endpoint outside of Venafi.


Note: You must allow "User Provided CSRs" as part of your TPP policy, as this is the only type supported by cert-manager at this time. As denoted here:


Service Generated CSR Locked: Your CSR from Cert-Manager will not be accepted by policy. That is because the locked policy value conflicts with the action taking place (User Generated CSR from cert-manager). example Cert-Manager error output below:

{"Error":"PKCS#10 data will not be processed. Policy \"\\VED\\Policy\\Certificates\\Cert-Manager\" is locked to a Server Generated CSR."}

Service Generated CSR Unlocked: Cert-Manager's CSR will be accepted by policy as Service Generated CSR is now a suggested value, not locked.

User Provided CSR Locked: Cert-Manager's CSR will be accepted by policy as long as the CSR matches all expected/locked values.

User Provided CSR Unlocked: Cert-Manager's CSR will be accepted by policy as long as the CSR matches all expected/locked values.

Generate Key/CSR on Application: Not locked or locked to 'No'

Hash Algorithm: can be locked as long as the Certificate Authority handling the requests accepts the locked value.



3. Subject DN

Locked or unlocked Subject DN values have a large impact on the success or failure of CSR requests from Cert-Manager.

Subject DN Locked: If these values are locked, your CSR generated from Cert-Manager must include these values exactly as you see them in the policy tree. Below you can see locked Venafi policy values of Organization, City, State/Province, and Country.



These values are named slightly different in Cert-Manager, and would be referenced as such in a certificate resource file: 


     - Venafi


     - Salt Lake City


     - UT


     - US

* organizationalUnits = Organizational Unit 

You can find reference to these values on the Cert-Manager API reference documentation:

Subject DN Unlocked: These values will be suggested values, but not enforced. If your certificate request from Cert-Manager does not contain these values, it may still go through pending the CA accepts the request without subject information.


4. Domain Whitelist

Allowed Domains: Recommended Domain Whitelisting policy appropriately assigned

common name is not allowed in this policy: [^([\p{L}\p{N}-]+\.)*{allowed\.domain}$]

Allow Wildcards: This can be locked or unlocked, simply allows for wildcard certificate creation. No effect on successful submission of Cert-Manager CSRs

Allow Duplicate Common and Subject Alternative Names: This can be locked or unlocked, Allows for duplicate common and SANs. No effect on successful submission of Cert-Manager CSRs



5. Private Key

When generating certificates using Cert-Manager, the private key for the certificates are held in secrets within Cert-Manager. Venafi does not have the private key in its database so the private key specific settings don't affect Cert-Manager's CSRs.

Key Strength: Recommended Key Bit Strength set to 2048 or higher



6. Other Information

CA Template: This can be locked or unlocked, but this is the template that Venafi will send the CSR to in order to successfully retrieve the certificate. If it is unlocked and at one point changed, this may impact successful submission of Cert-Manager's CSRs as different CA templates will have different requirements.

Disable Automatic Renewal: Recommended set to 'Yes'

Renewal Window: Renewals within Cert-Manager are handled via its rotationpolicy, but be sure that your rotationpolicy aligns with the renewal window certificate policy setting of Venafi. Otherwise you may see issues with re-issuance. If this value is unlocked, it acts as a suggested value.



7. Validation

These validation settings are Venafi specific and won't affect Cert-Manager's CSR requests.



Was this article helpful?
0 out of 0 found this helpful