Skip to main content

Certificate Lifecycle

The CZERTAINLY Issuer will automatically manage the lifecycle of the certificate, including renewal and revocation, according to the configuration specified in the Certificate resource. The lifecycle management is controlled by the cert-manager, which will periodically check the status of the certificate and trigger operations as needed.

Certificate issuance

The initial issuance of the certificate is triggered by the cert-manager controller, and the CZERTAINLY Issuer starts to communicate with the CZERTAINLY platform to issue the certificate, storing the identifier of the issued certificate in the Certificate annotations czertainly-issuer.czertainly.com/certificate-uuid.

This identifier is used later to manage the certificate lifecycle, including renewal and rekey operations.

The following represents the certificate issuance process:

Certificate renewal

When the certificate should be renewed (e.g., when it is close to expiration), the cert-manager will automatically trigger the renewal process. cert-manager will create a new CertificateRequest resource, which contains the annotations czertainly-issuer.czertainly.com/certificate-uuid taken from the original Certificate resource. The CZERTAINLY Issuer will then use this UUID to identify the certificate to be linked with the process.

Based on the private key rotation policy defined in the Certificate resource, the CZERTAINLY Issuer will either renew the certificate with the same public key or rekey it with a new public key. The renewal process is similar to the initial issuance, and the CZERTAINLY Issuer will communicate with the CZERTAINLY platform to renew the certificate.

The following represents the certificate renewal process:

Certificate polling process

The CZERTAINLY Issuer will periodically poll the CZERTAINLY platform for the status of the certificate. This is done to ensure that the certificate lifecycle is managed correctly, and any changes in the certificate status are reflected in the Certificate resource.

The following represents the certificate polling process: