cert-manager: Error getting keypair for CA issuer: certificate is not a CA

@whereisaaron I think that would work to, and be much easier.

It turns out that on MacOS the default OpenSSL config does not include the configuration for v3_ca certificate generation. When you follow the directions on the cert-manager site as well as most other sites which reference open ssl, they do not work. The Key for me was adding:

[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

To the /etc/ssl/openssl.cnf file. And then adding -extension v3_ca to the open ssl cert generation. Perhaps this will help others.

when on macOS, generally, alternative version of openssl is installed via homebrew. in that case using -config /usr/local/etc/openssl/openssl.cnf works, without any modifications.

openssl req -x509 -new -nodes -key ca.key -subj "/CN=${COMMON_NAME}" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl/openssl.cnf

If you don’t want to modify your /etc/ssl/openssl.cnf you can also just create a copy and reference it with the -config option, like so:

1. Copy Files

cp /etc/ssl/openssl.cnf openssl-with-ca.cnf

2. Append v3_ca options

Append the 4 lines mentioned in the comment above to your local copy using your favorite text editor.

3. Create the certificate referencing the file like so

openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt -extensions v3_ca -config openssl-with-ca.cnf

Thanks. I avoided the error by removing the “:always”, like this :

authorityKeyIdentifier = keyid,issuer

in that case, try using “openssl” binary installed by homebrew instead, @mikereiche

$ brew list openssl | grep bin/openssl
/usr/local/Cellar/openssl/1.0.2t/bin/openssl

$ /usr/local/Cellar/openssl/1.0.2t/bin/openssl version
OpenSSL 1.0.2t  10 Sep 2019