aws-privateca-issuer: AWS PCA shared cannot generate certificate

If someone else find this issue it can be solved by adding the following annotation to ingress: cert-manager.io/usages: "server auth,client auth"

After looking in the pca.go it appears that for you to request the EndEntityCertificate/V1 and meet the condition is by adding under the spec.usages section of the certificate yaml, -server auth along with -client auth!

Let me know if that helps. If you want support for more templates between shared resources that would be an AWS support request rather than a request here.

Regards, Tony

Thanks for the information.

Please refer to the following in the README: https://github.com/cert-manager/aws-privateca-issuer#mapping-cert-manager-usage-types-to-aws-pca-template-arns.

AWS Private CA has certificate templates (specified by templates ARNs) that are used when issuing certificates. Only a subset of these certificate templates are supported in cross-account issuance via RAM. The list of RAM-supported certificate templates is available on the RAM console. You chose AWSRAMDefaultPermissionCertificateAuthority - this corresponds to the following certificate template acm-pca:::template/EndEntityCertificate/V1. According to the chart in the README, you’ll have to set your Usage Types to ClientAuth, ServerAuth to get this plugin to issue acm-pca:::template/EndEntityCertificate/V1 certificates. Please give that a go, and let me know.

No problem at all! Thank you for reaching out to Amazon AWS. Please reopen if you have any issues or questions.

You are right, this issue was on my side. I initially crated IRSA role for cert-manager because I thought the cert-manager SA needs IRSA because PCA is only a plugin which is called on behalf of cert-manager. But then switched to IRSA for ServiceAccount aws-privateca-issuer and annotated it which cannot work. No I corrected the trust policy of the rule with the correct SA! Sorry for that.