由于我们已指定commonName字段,因此myexample.com将是两个证书的通用名称,并且通用名称和dnsNames阵列的所有元素都将是主题备用名称(SAN)。如果我们没有指定公共名称,那么dnsNames列表的第一个元素将用作公共名称,dnsNames列表的所有元素也将是SAN。
创建上述证书后,我们可以检查是否已成功获取,如下所示的代码查看了证书myexamplecertif icate:
kubectl describe certificate myexample-certificate
Name: myexample-certificate
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":
{"annotations":{},"name":"myexample-certificate","namespace":"...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-08-11T12:52:27Z
Generation: 1
Resource Version: 104827780
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/
certificates/myexample-certificate
UID: df6b70ad-bc36-11e9-9226-e68035cfae8e
Spec:
Common Name: myexample.com
Dns Names:
myexample.com
www.myexample.com
Issuer Ref:
Kind: Issuer
Name: ca-issuer
Organization:
MyExample CA
Secret Name: istio-myexample-customingressgateway-certs
Status:
Conditions:
Last Transition Time: 2019-08-11T12:52:27Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-11-09T12:52:27Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CertIssued 67s cert-manager Certificate issued successfully
最后一行显示了证书成功被创建。
你还可以检查Issuer是否成功,应该看到base64编码的签名TLS密钥对:
kubectl get secret istio-myexample-customingressgateway-certs -oyaml
获得证书后,cert-manager将继续检查其有效性,并在接近到期时尝试更新。当证书上的“Not After”字段小于当前时间之后30天时,cert-manager认为证书即将到期。对于基于CA的颁发者,cert-manager将颁发证书,其中“Not After”字段设置为当前时间加上365天。