Posted On: Jul 15, 2021

AWS Private Certificate Authority (CA) now supports an open source plugin for cert-manager that offers a more secure certificate authority solution for Kubernetes containers. cert-manager is a widely-adopted solution for TLS certificate management in Kubernetes. Customers who use cert-manager for application certificate lifecycle management can now use this solution to improve security over the default cert-manager CA, which stores keys in plaintext in server memory. Customers with regulatory requirements for controlling access to and auditing their CA operations can use this solution to improve auditability and support compliance.

Kubernetes containers and applications use digital certificates to provide secure authentication and encryption over TLS. With this plugin, cert-manager requests TLS certificates from Private CA, a highly available, auditable, and managed CA that secures CA keys using FIPS-validated Hardware Security Modules (HSMs). The integration supports certificate automation for TLS in a range of configurations, including at the ingress, on the pod, and mutual TLS between pods. You can use the AWS Private CA Issuer plugin with Amazon Elastic Kubernetes Service, self managed Kubernetes on AWS, and Kubernetes on-premises.

To learn more about the plugin and see the step-by-step instructions to configure it visit this blog: TLS-enabled Kubernetes clusters with ACM Private CA and Amazon EKS. You can get the plugin from GitHub .

Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. CA administrators can use Private CA to create a complete CA hierarchy, including online root and subordinate CAs, with no need for external CAs. With Private CA, you can create private certificates for your resources in one place with a secure, pay as you go, managed private CA service.

cert-manager is an add on to Kubernetes to provide TLS certificate management. cert-manager requests certificates, distributes them to Kubernetes containers, and automates certificate renewal. cert-manager ensures certificates are valid and up to date, and attempts to renew certificates at an appropriate time before expiry.

For a list of regions where Private CA is available, see AWS Regions and Endpoints.

To get started with Private CA visit the Getting Started page.