Issuing Policy

cert-manager integrates with a large number of different certificate issuers, each issuer has full autonomy over what issued certificates look like and what properties they have. cert-manager does not require or enforce any specific relationship between the properties in a CertificateRequest/ CertificateSigningRequest and the properties in the issued certificate (except for the public key which must match).

For the core SelfSigned and CA issuers, cert-manager implements its own issuing policy. This policy is very simple and is not configurable. All the requested properties will be copied into the issued certificate.

Another example is the Let's Encrypt CA issuer which also implements its own issuing policy. This policy is more complex than a 1:1 copy of the requested properties. For example, the Let's Encrypt issuer will always issue certificates with a 90 day validity period. Also, it only supports a limited set of (extended) key usages.