Certificate generation through Cert-Manager Integration

  • Release version: Xanadu
  • Updated October 29, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Certificate Generation through Cert-Manager Integration

    This guide outlines the process for generating certificates using the Kubernetes cert-manager integrated with the ServiceNow External Issuer (sn-external-issuer). It enables secure storage of certificate information within Kubernetes as secrets, ensuring sensitive data management.

    Show full answer Show less

    Deployment Requirements

    • Deploy cert-manager in your Kubernetes environment.
    • Update the manager.yaml file with necessary details such as Instance URL and Certificate Owner information.
    • Deploy the ServiceNow External Issuer.
    • Create a Kubernetes secret named clusterissuer-servicenow-credentials containing the instance username and password, with appropriate user roles.
    • Ensure compatibility with amd64 architecture and Kubernetes version 1.33.3.

    ServiceNow External Issuer Functionality

    The ServiceNow External Issuer facilitates certificate issuance through non-core services by integrating with the ServiceNow platform. It manages certificate tasks by storing relevant identifiers in a JSON cache and monitoring their status. Cert-manager interacts with this issuer to request certificates and update Kubernetes secrets upon successful generation.

    Deploying the ServiceNow External Issuer

    • Download the Helm Chart or YAML package from the ServiceNow instance.
    • Customize the manager.yaml or values.yaml files as necessary.
    • Create the Kubernetes secret using the command:
      kubectl create secret generic clusterissuer-servicenow-credentials --from-literal=user= --from-literal=password= -n system
    • Run the deployment commands to set up the issuer:
    kubectl create ns systemkubectl apply -f crdkubectl apply -f rbackubectl apply -f issuerskubectl apply -f manager/manager.yaml
  • Verify that the deployment is successful.

    • Requesting a New Certificate

    After deployment, create a certificate resource in a certificateclusterissuer.yaml file with the required specifications, including issuer references and DNS names. An example resource structure is provided to guide your implementation. Use the command below to apply the certificate:

    kubectl apply -f certificateclusterissuer.yaml

    Request a certificate through Kubernetes cert-manager using the ServiceNow External Issuer (sn-external-issuer) and save the certificate and its related information securely within the Kubernetes cluster as a secret. In Kubernetes, a secret is an object that allows you to store and manage sensitive information, such as passwords, API keys, and certificates.

    For information on building an external issuer, see Building and Deploying External Issuer For Certificate Management [KB1435392].

    Deployment Requirements

    • Deploy cert-manager in your Kubernetes environment. Update manager.yaml with Instance URL, Certificate Owner Group, Certificate Owner, Environment, and Renewal Tracking.
    • Deploy the ServiceNow External Issuer (sn-external-issuer) in your Kubernetes environment. Create a Kubernetes secret clusterissuer-servicenow-credentials with the instance username and password, ensuring the user has the necessary roles to request a certificate.
    • The ServiceNow External Issuer supports amd64 architecture along with the latest version of Kubernetes, 1.33.3.

    ServiceNow External Issuer (sn-external-issuer)

    • External issuers expand cert-manager functionality to issue certificates through non-core APIs and services.
    • The ServiceNow External Issuer is a ServiceNow-specific implementation of an External Issuer.
    • When a new certificate task is created, its Certificate Request UID and Certificate Task Sys Id are stored in the local JSON cache and the Certificate Request UID to Task Map table on the instance.
    • The ServiceNow External Issuer polls the instance to monitor the status of the certificate task.
    • If the certificate task is in the Work in progress state, its Certificate Request UID and Certificate Task Sys Id are added to the External Issuer UID Map table on the instance and the local JSON cache. During this time, Cert-manager automatically attempts to request the certificate.
    • Upon receiving a certificate request, Cert-manager checks for a matching task in the local JSON cache. If found, it polls the same task; otherwise, it queries the instance for records from the External Issuer UID Map table and populates the local JSON cache.
    • Once the task is marked as complete and the certificate is generated, the ServiceNow External Issuer sends another request to the instance, downloads the certificate attachment, and updates the certificate resource and corresponding secret in Kubernetes.

    Deploying the ServiceNow External Issuer in Kubernetes

    Deploying the ServiceNow External Issuer in Kubernetes involves the following steps:
    1. From the ServiceNow instance download page, obtain the Helm Chart or YAML zip package.
    2. Customize the manager.yaml or values.yaml files as needed for your specific use case. These files may include essential information such as the Instance URL and Certificate Owner Group.
    3. Create a Kubernetes secret named clusterissuer-servicenow-credentials with the instance username and password.
      Example command:
      • Create a Kubernetes secret named clusterissuer-servicenow-credentials with the instance username and password. Example command:
        kubectl create secret generic clusterissuer-servicenow-credentials
              --from-literal=user=<user_name> --from-literal=password=<password> -n
            system
      • Ensure that the user has the necessary roles to request certificates.
    4. Execute the following commands for deployment.
      kubectl create ns system
kubectl apply -f crd
kubectl apply -f rbac
kubectl apply -f issuers
kubectl apply -f manager/manager.yaml
    5. (Optional) Customize any additional configurations in the files to suit your specific requirements.
    6. Ensure that the deployment is successful and the ServiceNow External Issuer is up and running.

    Request new certificate flow

    After deployment, submit a certificate resource with the following information in a file named certificate_clusterissuer.yaml.

    • issuerRef : clusterissuer-servicenow
    • issuer : issuer-servicenow
    • kind : ClusterIssuer
    • issuerRef : servicenow-issuer.servicenow.com

    Here's a sample Certificate Resource:

    apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: certificate-by-clusterissuer
spec:
commonName: certificate-by-clusterissuer.servicenow.com
secretName: certificate-by-clusterissuer
dnsNames:
- servicenow.com
- foo.servicenow.com
issuerRef:
name: clusterissuer-servicenow
group: servicenow-issuer.servicenow.com
kind: ClusterIssuer

    Apply the certificate resource using kubectl apply -f certificate_clusterissuer.yaml