Considerations

When using AWS Private Certificate Authority with Kubernetes, keep the following considerations in mind.

Cross-account use of cert-manager

Administrators with cross-account access to a CA can use the cert-manager add on for Kubernetes to provision certificates for a cluster using the shared CA. For more information, refer to Security best practices for Cross-account access to private CAs.

You can use only certain AWS Private CA certificate templates in cross-account scenarios.

The following table lists AWS Private CA templates that you can use with cert-manager to provision a Kubernetes cluster.

Templates supported for Kubernetes	Support for cross-account use
BlankEndEntityCertificate_CSRPassthrough/V1 definition	No
CodeSigningCertificate/V1 definition	No
EndEntityCertificate/V1 definition	Yes
EndEntityClientAuthCertificate/V1 definition	Yes
EndEntityServerAuthCertificate/V1 definition	Yes
OCSPSigningCertificate/V1 definition	No

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Concepts

Get started