certforge-issuer is a cert-manager external issuer that intercepts CertificateRequest objects and submits them to CertForge for policy evaluation, approval, and issuance. Your existing Certificate manifests work unchanged — you just point issuerRef at CertForge instead of a built-in issuer.
Prerequisites
- Kubernetes 1.24+
- cert-manager v1.14+
- A CertForge account with at least one Domain Trust Profile covering your cluster’s domains
Before you install
CertForge must be configured for the domains your workloads will request certificates for, otherwise requests will be rejected immediately withInvalidRequest.
1. Create a Domain Trust Profile covering the domain patterns your workloads use. For example, if pods will request certs for *.internal.example.com, your DTP must include that pattern. Go to Domain Trust Profiles → New in the CertForge dashboard.
2. Generate an API token — go to Settings → API Keys and create a token scoped to your organization. You will supply this during installation.
Installation
Helm (recommended)
Cloud (app.certgovernance.app):Manual
Configure the issuer
Namespaced issuer
UseCertForgeIssuer to scope issuance to a single namespace:
Cluster-wide issuer
UseCertForgeClusterIssuer to issue certificates across all namespaces. The credentials secret must live in the certforge-system namespace:
Self-hosted with internal CA trust
If CertForge presents a certificate signed by an internal CA, include the CA bundle so the controller trusts the TLS connection:Request a certificate
Point any cert-managerCertificate at CertForge by changing issuerRef:
CertificateRequest; the issuer controller submits the CSR to CertForge; once issued the certificate is written back as a Kubernetes Secret.
Wildcard certificates
Wildcard certificates work the same way — ensure your DTP permits wildcards for the domain:Multiple SANs
How approval works
The behavior depends on how your Domain Trust Profile is configured:- Auto-approve — the certificate is issued immediately, typically within a few seconds.
- Manual approval required — the request enters the CertForge approval queue. The controller polls every 15 seconds until the request is approved or denied. The
Certificatestays in a pending state until then.
Troubleshooting
If aCertificate stays pending, inspect the underlying CertificateRequest:
Check the issuer controller logs for connectivity errors:
x509: certificate signed by unknown authority:
Your CertForge instance uses a CA the controller doesn’t trust. Add caBundle or caBundleSecretRef to the issuer spec as shown above.
API token invalid in controller logs:
The token in the certforge-credentials secret has expired or been revoked. Generate a new one under Settings → API Keys and update the secret: