Programmatically create certificates ?

[Darshan]

Hi

I have started using cert-manager for generating self signed certificates. I was wondering if there was a way we can generate certificates during runtime using any api or programming construct. 

Alternately I am thinking, we can have a template file, and during the run time fill in the yaml file and apply that using kubectl, but a programmatic access would be nice. Any thoughts ?

Thanks.

[Bryan Hunt]

It would probably be best if you just worked directly with OpenSSL or with a wrapper (in whatever language you are using) over the OpenSSL API if you are just generating self-signed certs. 

Alternatively, communicate with the Kubernetes API server and create the objects (Certificate,Issuer) that you need programmatically and dispense with invoking the kubectl executable (risks of insecure invocation as with any exec call).

[Darshan]

Thanks Bryan.

We have a root cert (self signed) for our cluster which is generated by cert-manager. The other certificates that we generate for other clients, we want to get them signed by the root cert, that's why we face the above problem. Since CN is not known apriori for these clients, we want to be able to create them when needed and not necessarily at the beginning.