Skip to main content

cert-manager

cert-manager is an open-source Kubernetes add-on that automates the management and issuance of X.509 Transport Layer Security (TLS) certificates from various certificate authorities for workloads and cluster resources (security, Public Key Infrastructure (PKI) automation).

  • Automates issuance and renewal of TLS/X.509 certificates for Kubernetes workloads and ingress resources (security, certificate management).
  • Integrates with external and internal certificate authorities through pluggable issuers and cluster-wide issuers (security, PKI integration).
  • Uses Kubernetes Custom Resource Definitions (CRDs) to model certificates, certificate requests, and issuers as native Application Programming Interface (API) objects (Kubernetes platform extension).
  • Supports ACME-based certificate issuance and other CA protocols as documented in project issuers (security, protocol-based automation).
  • Coordinates certificate lifecycle for ingress controllers, service meshes, and internal services within Kubernetes clusters (security, service connectivity).

More About Cert-Manager

cert-manager addresses certificate lifecycle management in Kubernetes clusters by automating the issuance, renewal, and propagation of X.509 TLS certificates. In containerized and microservice architectures, manual certificate provisioning for ingress endpoints, internal services, and control planes introduces operational overhead and risk of expired or misconfigured certificates. cert-manager provides a Kubernetes-native mechanism to define certificate needs declaratively and keep them in sync with one or more certificate authorities.

The project extends Kubernetes using Custom Resource Definitions (Kubernetes platform extension), introducing resources such as Issuer, ClusterIssuer, Certificate, and CertificateRequest. An Issuer or ClusterIssuer represents a specific certificate authority or signing mechanism, while a Certificate object describes the desired characteristics of a certificate, including subject, Domain Name System (DNS) names, and secret storage location. cert-manager’s controllers reconcile these objects, interact with configured Content Addressable Storage (CAS), and store issued keys and certificates in Kubernetes secrets.

cert-manager supports multiple issuer types (security, PKI integration), including ACME-based issuers for public or private ACME servers and other CA integrations documented by the project. Through these issuers, it can obtain and renew certificates for ingress resources, Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) services, and internal components. The automation covers challenge handling for ACME where applicable, certificate renewal before expiry, and update of the backing Kubernetes secrets without application downtime when workloads reference those secrets.

In enterprise environments, cert-manager is commonly deployed as a controller within Kubernetes clusters and integrated with ingress controllers, service meshes, and internal PKI systems (security, service connectivity). Platform and security teams use it to enforce consistent TLS usage, manage certificates across namespaces and clusters via ClusterIssuers, and align with organizational certificate policies while keeping configuration under version control as Kubernetes manifests.

Architecturally, cert-manager runs as a set of controllers watching relevant CRDs and orchestrating interactions with external systems over standard protocols such as ACME (security, protocol-based automation) or CA APIs. Its design allows extensibility through additional issuer implementations and configuration options for certificate templates, renewal windows, and key parameters. Within an enterprise technology catalog, cert-manager fits into the categories of Kubernetes platform tooling, certificate lifecycle management, and PKI integration for cloud-native workloads.