Linkerd Certificate Management with AWS Private CA Issuer

Related to an earlier blog post and question:

  1. Workshop Recap: Linkerd Certificate Management with Vault | Linkerd
  2. Security and operational considerations when setting intermediate CA cert expiries (cert-manager)

I’m looking for a workshop/blog similar to “Linkerd Certificate Management with Vault”, except for AWS Private CA Issuer.

cert-manager/aws-privateca-issuer

Does this exist?

If not, how different would it be from the Vault version?

Is the short-lived (7-day) AWS Issuer mode a candidate for this application?

Answer: Yes, according to this article:

https://aws.amazon.com/blogs/security/how-to-use-aws-private-certificate-authority-short-lived-certificate-mode/

There’s a cert-manager extension for the AWS Private CA Issuer. I would expect that if you use that extension for your cert-manager (Cluster)Issuers in our normal instructions about certificate management with LInkerd, then it will work. As always, the main thing to be aware of at present is the need for restarts after rotating the trust anchor.