Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

  1. Education Center
    2. Kubernetes

Kubernetes Certificate Management with cert-manager

Posted byEC Team 5 Minutes
security-operation
Table Of Contents

Kubernetes certificate management is the practice of issuing, renewing, and revoking the TLS certificates that secure a Kubernetes cluster and its workloads. cert-manager is the CNCF-graduated tool that automates this inside the cluster.

Kubernetes relies on TLS certificates for its control plane and for securing workload traffic, and managing them by hand does not scale. cert-manager, a CNCF graduated project, adds certificates and issuers as native Kubernetes resources and automatically requests and renews certificates from sources like Let’s Encrypt, Vault, or a private CA, reducing outages from expired certificates.

Key Takeaways

  • Kubernetes uses TLS certificates for the control plane and for securing service-to-service traffic.
  • cert-manager is the de facto tool for in-cluster certificate automation and graduated in the CNCF in November 2024. The CNCF reports it is deployed in 86 percent of new production clusters.
  • It adds Certificate and Issuer resources to Kubernetes and renews certificates automatically before expiry.
  • It issues from many sources: ACME (Let’s Encrypt), HashiCorp Vault, AWS Private CA, Google CAS, Venafi, and private CAs.
  • For policy and visibility across clusters, cert-manager pairs with a central certificate management platform.

Why Kubernetes Needs Certificate Management

Kubernetes is built on TLS. Its control plane and its workloads depend on certificates to authenticate and encrypt traffic, and clusters can contain hundreds of short-lived components. Managing those certificates by hand does not scale, and an expired certificate can break the cluster or take a service offline. This is the same certificate management challenge seen elsewhere, intensified by Kubernetes scale and churn.

Certificates in a Kubernetes Cluster

Certificates appear in two main places. The control plane uses them so components such as the API server, kubelets, and etcd can authenticate to one another. Workloads use them to secure service-to-service traffic, frequently with mutual TLS (mTLS) so both sides of a connection verify each other. Both areas need reliable, automated issuance and renewal.

What Is cert-manager?

cert-manager is the de facto tool for automating certificates inside Kubernetes. It is an open-source project that graduated in the Cloud Native Computing Foundation (CNCF) in November 2024, marking it as mature and widely adopted; the CNCF reports that 86 percent of new production clusters deploy cert-manager as standard practice. While it is most often used for TLS and mTLS, cert-manager manages X.509 certificates generally, making certificate issuance and renewal a native, declarative part of the cluster.

How cert-manager Works

cert-manager adds custom resources and controllers that handle certificates automatically:

  • Issuer / ClusterIssuer: Defines a source of certificates, such as Let’s Encrypt, Vault, or a private CA.
  • Certificate: Declares the certificate you want; cert-manager obtains and stores it as a Kubernetes secret.
  • Controllers: Watch these resources and automatically renew certificates before they expire.

Because renewal is automatic and happens ahead of expiry, cert-manager removes a common source of outages and manual toil.

Certificate Management

Prevent certificate outages, streamline IT operations, and achieve agility with our certificate management solution.

Book a Demo

cert-manager Issuers

IssuerUse
ACME (Let’s Encrypt)Free, automated public certificates for internet-facing endpoints.
HashiCorp VaultInternal certificates issued from a Vault PKI backend.
AWS Private CA / Google CASCertificates issued from managed cloud CA services.
Private CAWorkload certificates issued from your own certificate authority.
Venafi and othersIntegration with enterprise certificate authorities and platforms.

Best Practices for Kubernetes Certificate Management

  • Automate issuance and renewal with cert-manager rather than handling certificates manually.
  • Use short-lived certificates and let cert-manager rotate them frequently.
  • Issue internal workload certificates from a private CA you control, and public certificates from a public CA.
  • Protect private keys and high-value CA keys, ideally with a hardware security module.
  • Maintain central visibility across all clusters so no certificate is untracked.

cert-manager and Enterprise PKI

cert-manager is excellent at in-cluster automation, but it does not by itself give an organization central policy and a single inventory across many clusters and non-Kubernetes systems. That governance gap is filled by an enterprise certificate management platform that integrates with cert-manager. See what a certificate authority is for the trust model behind the certificates cert-manager issues.

How Encryption Consulting Helps

CertSecure Manager provides the enterprise layer above cert-manager: a single inventory, consistent policy, and lifecycle control across every cluster, server, and cloud. Encryption Consulting’s PKI Services design the private CAs that issue your workload certificates, backed by ISO/IEC 27001:2022 and SOC 2 certified practices.

Frequently Asked Questions

What Is cert-manager in Kubernetes?

cert-manager is an open-source, CNCF-graduated tool that automates TLS certificate management inside Kubernetes. It adds Certificate and Issuer resources to the cluster and automatically requests, renews, and rotates certificates from sources such as Let’s Encrypt, HashiCorp Vault, or a private CA, reducing the manual work and outages associated with expiring certificates.

Is cert-manager Free?

Yes. cert-manager is free and open source, maintained as a graduated project under the Cloud Native Computing Foundation (CNCF). It is one of the most widely used CNCF projects. Organizations may still pay for the certificate authorities it integrates with, or for enterprise PKI and support, but cert-manager itself carries no license cost.

How Does Kubernetes Use Certificates?

Kubernetes uses TLS certificates extensively. The control plane components, such as the API server, kubelets, and etcd, authenticate to each other with certificates. Workloads also use certificates to secure service-to-service traffic, often with mutual TLS. Because there are many short-lived components, certificate issuance and renewal need to be automated.

Does cert-manager Work With a Private CA?

Yes. cert-manager supports many issuers, including private certificate authorities, HashiCorp Vault, Venafi, and ACME providers like Let’s Encrypt. This lets organizations issue internal workload certificates from their own PKI while using public CAs for internet-facing endpoints, all managed through the same cert-manager resources in the cluster.

What Is the Difference Between cert-manager and a Certificate Management Platform?

cert-manager automates certificates inside a Kubernetes cluster. An enterprise certificate management platform provides visibility, policy, and lifecycle control across all environments, clusters, servers, cloud, and devices. The two are complementary: cert-manager handles in-cluster automation, while a platform such as CertSecure Manager gives central governance and a single inventory across the whole estate.

Govern Certificates Across Every Cluster

Ready to add enterprise control on top of cert-manager? See CertSecure Manager in action, or learn what certificate management is.

Explore

More Topics