--- title: "Cryptographically Signed Swag: Cert-Manager’s Stamped Certificates" weight: 5 tags: - platform - cert - security --- {{% button href="https://youtu.be/vEeyZcQuD_A" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} A talk by the cert manager maintainers that also staffed the cert manager booth. Humor is present, but the main focus is still the technical integration ## Baseline * Cert manager is the best™ way of getting certificates * Poster features: Auto-renewal, ACME, PKI, HC Vault * Numbers: 20M downloads 427 contributors 11.3 GitHub stars * Currently on the graduation path ## History * 2016: Jetstack created kube-lego -> A operator that generated LE certificates for ingress based on annotations * 2o17: Cert manager launch -> Cert resources and issuer resources * 2020: v1.0.0 and joined CNCF sandbox * 2022: CNCF incubating * 2024: Passed the CNCF security audit and on the way to graduation ## The booth works ### How it came to be * The idea: Mix the digital certificate with the classical seal * Started as the stamping idea to celebrate v1 and send contributors a thank you with candles * Problems: Candles are not allowed -> Therefor glue gun ### How it works * Components * Raspberry Pi with k3s * Printer * Cert manager * A Go-based Web-UI * QR-Code: Contains link to certificate with private key ```mermaid flowchart LR ui(UI in go)-->|Generate cert ressource|kubeapi kubeapi-->|Issue certificate|CertManager CertManager-->|Certificate|ui ui-->|print|Printer ``` ### What is new this year * Idea: Certs should be usable for TLS * Solution: The QR-Code links to a zip-download with the cert and private key * New: ECDSA for everything * New: A stable root ca with intermediate for every conference * New: Guestbook that can only be signed with a booth issued certificate -> Available via script ## Learnings * This demo is just a private CA with cert manager -> Can be applied to any PKI-usecases * The certificate can be created via the CR, CSI driver (create secret and mount in container), ingress annotations, ... * You can use multiple different Issuers (CA Issuer aka PKI, Let's Encrypt, Vault, AWS, ...) ```mermaid flowchart LR ui-->|Input certificate subject details|CertManager cai(CA Issuer)-->|Source for certificate|CertManager CertManager-->|Creates|sr(Secret Ressource) ``` ## Conclusion * This is not just a demo -> Just apply it for machines * They have regular meetings (daily stand-ups and bi-weekly)