Skip to main content
The certforge-issuer is a cert-manager external issuer that intercepts CertificateRequest objects and submits them to CertForge for policy evaluation, approval, and issuance. Your existing Certificate manifests work unchanged — you just point issuerRef at CertForge instead of a built-in issuer.

Prerequisites

  • Kubernetes 1.24+
  • cert-manager v1.14+
  • A CertForge account with at least one Domain Trust Profile covering your cluster’s domains

Before you install

CertForge must be configured for the domains your workloads will request certificates for, otherwise requests will be rejected immediately with InvalidRequest. 1. Create a Domain Trust Profile covering the domain patterns your workloads use. For example, if pods will request certs for *.internal.example.com, your DTP must include that pattern. Go to Domain Trust Profiles → New in the CertForge dashboard. 2. Generate an API token — go to Settings → API Keys and create a token scoped to your organization. You will supply this during installation.

Installation

Cloud (app.certgovernance.app):
Self-hosted: replace the URL with your CertForge instance URL:
If your CertForge instance uses an internal or self-signed CA, add the CA certificate so the controller can verify TLS:

Manual

Configure the issuer

Namespaced issuer

Use CertForgeIssuer to scope issuance to a single namespace:

Cluster-wide issuer

Use CertForgeClusterIssuer to issue certificates across all namespaces. The credentials secret must live in the certforge-system namespace:

Self-hosted with internal CA trust

If CertForge presents a certificate signed by an internal CA, include the CA bundle so the controller trusts the TLS connection:
To get the base64 value:
Alternatively, reference a Kubernetes Secret containing the CA:

Request a certificate

Point any cert-manager Certificate at CertForge by changing issuerRef:
cert-manager creates a CertificateRequest; the issuer controller submits the CSR to CertForge; once issued the certificate is written back as a Kubernetes Secret.

Wildcard certificates

Wildcard certificates work the same way — ensure your DTP permits wildcards for the domain:

Multiple SANs

How approval works

The behavior depends on how your Domain Trust Profile is configured:
  • Auto-approve — the certificate is issued immediately, typically within a few seconds.
  • Manual approval required — the request enters the CertForge approval queue. The controller polls every 15 seconds until the request is approved or denied. The Certificate stays in a pending state until then.
Approvers can act on requests from the CertForge dashboard under Approvals.

Troubleshooting

If a Certificate stays pending, inspect the underlying CertificateRequest:
Check the issuer controller logs for connectivity errors:
Certificate stuck pending for more than a few minutes with auto-approve DTP: Check that the controller can reach CertForge — network policies or egress rules may be blocking the connection. The controller needs outbound HTTPS to the CertForge URL. x509: certificate signed by unknown authority: Your CertForge instance uses a CA the controller doesn’t trust. Add caBundle or caBundleSecretRef to the issuer spec as shown above. API token invalid in controller logs: The token in the certforge-credentials secret has expired or been revoked. Generate a new one under Settings → API Keys and update the secret:
For full controller configuration options and CRD field reference, see the certforge-issuer guide.