Is there any support / future support to create client certificates?

[Ariel B]

Hi, i managed to create pretty easily server certificates, i was wondering what's the method to create also client certificates? (as i want to distribute them to my pods).

Thanks!

[Mike Malone]

Hey Ariel,

I'm not a cert-manager expert but I do know a bit about certificates in general. I think it would be helpful if you could provide more details about what you mean by "client certificates". Technically, the certificates being issued by cert-manager from Let's Encrypt (and probably from other backends) can already be used as client certificates since the "TLS Web Client Authentication" key usage is typically set (it is for Let's Encrypt, at least). So cert-manager might already be doing what you need.

Reading between the lines of your question I speculate that what you're actually looking for is an easier way to distribute certificates to pods..? Is that right?

The other thing that often comes up with client certificates is a desire to use different identities/names in certificates and to use alternative enrollment techniques (i.e., *not* ACME), since a client doesn't always have a resolvable domain name. Again, I'm just speculating here. Is that what you're looking for?

[Stuart Warren]

certs with "client auth" are only created if you create a CertificateRequest with a csr, but not a regular Certificate

https://docs.cert-manager.io/en/latest/reference/certificaterequests.html

I have an MR awaiting review to add a feature to allow you to specify your own key usages 

https://github.com/jetstack/cert-manager/pull/1996