Posted On: Jan 4, 2022

AWS Certificate Manager (ACM) Private Certificate Authority (CA) announces the release of Version 1.0 (v1.0) of the Private CA Kubernetes cert-manager plugin, an open source plugin for cert-manager that offers a secure certificate authority solution for Kubernetes containers. ACM Private CA is AWS’s managed and highly available private CA service, and cert-manager is a widely-adopted solution for TLS certificate management in Kubernetes. Customers who use cert-manager for certificate lifecycle management can use this plugin with ACM Private CA to improve security over the default cert-manager CA, which stores keys in plaintext in server memory. v1.0 of the plugin replaces v0.3.1 released in July 2021 and is production ready with new features, maintenance improvements, and bug fixes. With this release, we've added automated end-to-end integration testing that runs with each software change. This means any plugin changes from now on are automatically tested before being released. This improves quality and production-readiness. The plugin’s repository automatically makes releases available in an AWS-owned ECR repository, so customers always get the latest version of the plugin.

Kubernetes containers and applications use digital certificates to provide secure authentication and encryption over TLS. With this plugin, cert-manager requests TLS certificates from ACM Private CA, a highly available and auditable managed CA that secures CA keys using FIPS-validated Hardware Security Modules (HSMs). Together cert-manager and the plugin for ACM Private CA provide certificate automation for TLS in a range of configurations, including at the ingress, on the pod, and mutual TLS between pods. You can use the ACM Private CA Kubernetes cert-manager plugin with Amazon Elastic Kubernetes Service, self managed Kubernetes on AWS, and Kubernetes on-premises.

To learn more about the plugin and see the step-by-step instructions to configure it visit this blog: TLS-enabled Kubernetes clusters with ACM Private CA and Amazon EKS. You can get the plugin from GitHub.

ACM Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. CA administrators can use Private CA to create a complete CA hierarchy, including online root and subordinate CAs, with no need for external CAs. With ACM Private CA, you can create private certificates for your resources in one place with a secure, pay as you go, managed private CA service.

Cert-manager is an add on to Kubernetes to provide TLS certificate management. cert-manager requests certificates, distributes them to Kubernetes containers, and automates certificate renewal. cert-manager ensures certificates are valid and up to date, and attempts to renew certificates at an appropriate time before expiry.

For a list of regions where ACM Private CA is available, see AWS Regions and Endpoints.

To get started with ACM Private CA visit the Getting Started page.