gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fd05bacb768627ea9eec38bda106176d0ed40104
certctl/docs/certctl-for-cert-manager-users.md
T
shankar0123 2655493ac8 fix(docs): correct migration guides — 17 issues found via repo audit 
Fixes factual errors, broken links, wrong ports, inaccurate GUI
descriptions, and misleading config formats across all three migration
guides (certbot, acme.sh, cert-manager).

Key fixes:
- Correct server port from 8080/3000 to 8443 across all guides
- Fix HTTPS→HTTP for Docker Compose (not TLS-terminated)
- Fix heartbeat interval: 60 seconds, not 5 minutes
- Fix "50 servers" → "10 servers" (50 certs across 10 servers)
- Replace JSON config blocks with env var format (actual config method)
- Fix policy creation flow to match actual GUI (name/type/severity/config)
- Fix issuer wizard description to match actual 2-step flow
- Fix Vault PKI "coming in v2.1" → "planned" (ships post-2.1.0)
- Fix 5 broken links (cert-manager.md, quickstart anchors, architecture anchor)
- Remove claim of auto-generated suggestions in discovery flow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-30 01:34:22 -04:00

6.8 KiB
Raw Blame History

certctl for cert-manager Users

You run cert-manager inside Kubernetes and it works well for in-cluster certificates. But you also have VMs, bare-metal servers, network appliances, and legacy systems outside the cluster. cert-manager can't reach those. This guide shows how certctl complements cert-manager to give you unified certificate visibility and automation across your entire infrastructure.

Not a Replacement

cert-manager is the right tool for in-cluster certs. It's tightly integrated with Kubernetes:

  • Native CRDs (Certificate, ClusterIssuer, Issuer)
  • Automatic cert injection into Ingress and Service objects
  • Controller-driven renewal within the cluster

certctl does not replace this. Instead, it extends your certificate management to everything outside Kubernetes: VMs, bare metal, network appliances, Windows servers, and legacy systems.

The Problem

Your setup:

  • cert-manager: handles all certs in Kubernetes (TLS for Ingress, service-to-service, internal services)
  • Everything else: NGINX/Apache on VMs, HAProxy load balancers on bare metal, network appliances, Windows servers with IIS — these are managed inconsistently. Maybe Certbot cron jobs, maybe manual renewal, maybe deprecated cert files sitting around.

Result:

  • No unified visibility — you don't know when non-Kubernetes certs expire
  • Renewal failures go unnoticed until the cert is already expired
  • Audit trail fragmented across multiple tools
  • Scaling to hundreds of machines becomes impossible

The Solution

Deploy certctl control plane once (Docker Compose, Kubernetes Helm chart, or self-hosted). Deploy agents on your VMs, bare metal, and network appliances. One dashboard shows:

  • All cert-manager certs via discovery scanning (agents find cert-manager-issued certs copied to target machines, or scan the cluster directly)
  • All certctl-managed certs issued by shared issuers (ACME, step-ca, Vault PKI (planned), private CA)
  • Unified renewal and deployment across both worlds
  • Single pane of glass with expiration timeline, renewal status, deployment verification, audit trail

How to Set Up

1. Install certctl Control Plane

Option A: Docker Compose (quickest for evaluation)

cd /opt/certctl
docker compose up -d
# Dashboard & API: http://localhost:8443

Option B: Kubernetes (recommended for prod)

helm install certctl deploy/helm/certctl/ \
  --set auth.apiKey=YOUR_SECURE_KEY

2. Deploy Agents to Non-Kubernetes Infrastructure

On each VM, bare-metal server, or appliance (via proxy agent):

# Linux amd64
curl -sSL https://github.com/shankar0123/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64 \
  -o /usr/local/bin/certctl-agent
chmod +x /usr/local/bin/certctl-agent

# Config
sudo tee /etc/certctl/agent.env > /dev/null <<EOF
CERTCTL_SERVER_URL=http://certctl-control-plane:8443
CERTCTL_API_KEY=your-api-key
CERTCTL_DISCOVERY_DIRS=/etc/nginx/certs,/etc/ssl,/etc/letsencrypt/live
CERTCTL_KEY_DIR=/var/lib/certctl/keys
EOF
sudo chmod 600 /etc/certctl/agent.env

# Start
sudo systemctl start certctl-agent

3. Enable Discovery Scanning

Agents scan configured directories and report back all existing certs. In the dashboard:

  • Discovery page: all found certs grouped by agent
  • Claim cert-manager certs to link them with Kubernetes metadata
  • Dismiss obsolete certs

4. Configure Shared Issuers

Set up the same issuer certctl uses for non-Kubernetes certs:

  • ACME (Let's Encrypt, for public certs)
  • step-ca (Smallstep, for internal certs)
  • Vault PKI (planned) (HashiCorp Vault, for enterprise PKI)
  • Private CA (your own internal root CA)

No new CA infrastructure needed. If cert-manager already uses your CA, certctl points to the same one.

5. Create Policies for Non-Kubernetes Certs

Go to Policies+ New Policy to create enforcement rules:

  • Name: e.g., "VM Certificate Policy"
  • Type: expiration_window or key_algorithm (enforce renewal thresholds or crypto requirements)
  • Severity: high
  • Config: set your enforcement parameters

Certificates are linked to issuers and profiles when created or claimed from discovery. Policies add guardrails — enforcing key algorithm requirements, expiration windows, and other compliance rules across your fleet.

6. View Unified Inventory

Dashboard shows:

  • Certificate status heatmap (all 1000 certs: cert-manager + certctl)
  • Renewal job trends (both types)
  • Expiration timeline (30/60/90 days)
  • Agent fleet status (all infrastructure)

Certificates page filters by issuer (show me all ACME certs, or all step-ca certs):

  • cert-manager certs discovered from Kubernetes nodes
  • certctl-managed certs on VMs
  • Network appliance certs auto-discovered

Shared Infrastructure

If cert-manager and certctl both use the same CA:

  • ACME: cert-manager uses ClusterIssuer + certctl uses ACME connector → same Let's Encrypt account, transparent coexistence
  • step-ca: cert-manager uses external issuer CRD + certctl uses step-ca connector → same provisioner, shared certificate inventory
  • Vault PKI (planned): cert-manager uses external issuer CRD + certctl uses Vault connector → same mount, same audit trail

No conflict. They just issue certs through the same CA. certctl's discovery scanning finds cert-manager-issued certs and shows them alongside certctl-managed ones.

Key Differences from cert-manager

Feature cert-manager certctl
Target In-cluster (Kubernetes) Out-of-cluster (VMs, bare metal, appliances)
Configuration CRDs (Certificate, ClusterIssuer, Issuer) API + Dashboard (JSON REST)
Deployment Injected into Secret objects, mounted by pods Agent pulls work, deploys via target-specific API (file, service restart, proxy agent)
Renewal Controller watches Certificate CRDs, triggers renewal when needed Scheduler checks thresholds, agents poll for work
Audit Kubernetes event log Immutable append-only audit trail
Visibility Per-namespace, per-resource Fleet-wide, unified inventory

Future Integration

On the roadmap (V4): cert-manager external issuer — certctl acts as a ClusterIssuer backend for Kubernetes. This would allow cert-manager to request certificates from certctl, which could issue them via any of its connectors (step-ca, Vault, private CA, etc.). Pure integration play; no breaking changes.

For now: cert-manager handles Kubernetes, certctl handles everything else. They coexist seamlessly.

Next Steps

  1. Review Quick Start for a 5-minute demo
  2. Explore Architecture for deployment architecture
  3. Read about Discovery Scanning to auto-find certs
  4. Check Helm Chart for production Kubernetes deployment
Reference in New Issue View Git Blame Copy Permalink