direct cfssl certificate issuance?

[tmc]

Direct cfssl issuance might make more sense when you might exceed letsencrypt limits and run an internal CA.

[munnerz]

This would be a nice feature, however I'm hesitant to add additional auth types, especially when they are so distinct.

If you have issues with rate limits on Letsencrypt and want to run your own CA, it may be worth considering running your own instance of boulder, the ACME server.

[munnerz]

So a quick update, I've been working on cert-manager that should (eventually) allow for this.

It has a pluggable set of issuer backends, so we should be able to support a simple issuer backed by a plain signing certificate/key instead of being tied to ACME. The relevant issue is here: https://github.com/jetstack-experimental/cert-manager/issues/8

It's scheduled to be added in to be present for the 0.0.1 release, so I'd love to hear your feedback once it's there!