Learn · Modern Infrastructure

cert-manager, explained.

By Updated

cert-manager is the most popular tool for automating certificates in Kubernetes. It requests, stores, and renews certificates from issuers like Let’s Encrypt and private CAs — here’s how it works and where its limits are.

Try a free domain scan How it works
6 min readKubernetes
cert-manager flow
IssuerCA config
CertificateK8s resource
Secretstored cert
Ingressserves TLS
Definition

cert-manager is an open-source Kubernetes add-on that automates the issuance and renewal of TLS certificates. It introduces Kubernetes resources — Issuers and Certificates — that request certs from a CA and store them as secrets for workloads to use.

How cert-manager works

Issuer to certificate
to secret.

1
Configure an issuer

Define where certificates come from — ACME, a private CA, or Vault.

2
Request a certificate

A Certificate resource declares the cert you want.

3
Store as a secret

cert-manager obtains the cert and saves it as a secret.

4
Auto-renew

It renews the certificate before expiry, automatically.

Where it stops

Great inside one cluster —
blind beyond it.

cert-manager is excellent at in-cluster automation. But it isn’t a platform: it doesn’t unify, risk-score, or map the certificates it manages.

Cluster-scoped

cert-manager automates certs within a cluster — not across your whole estate.

No central inventory

It manages certs but doesn’t give a unified view across clusters and clouds.

Multi-cluster gaps

Many clusters mean many cert-manager instances with no shared picture.

No risk or ownership

It issues and renews, but doesn’t score risk or map ownership and impact.

cert-manager + MachineCert

Add the platform layer
cert-manager lacks.

Unified visibility

cert-manager certs alongside public, cloud, and internal.

Multi-cluster view

Every cluster’s certs in one inventory.

Risk scoring

Score and prioritize cluster certificates.

Cross-estate automation

Extend automation beyond the cluster.

Ownership mapping

Tie cluster certs to teams and on-call.

Works with cert-manager

Complements, never replaces, cert-manager.

FAQ

cert-manager,
answered.

cert-manager is an open-source Kubernetes add-on that automates issuing and renewing TLS certificates. It adds custom resources — Issuers and Certificates — that obtain certificates from a CA and store them as Kubernetes secrets for workloads to use.
You configure an Issuer (for example ACME/Let’s Encrypt, a private CA, or Vault), then create Certificate resources. cert-manager requests the certificate, stores it as a secret, and renews it automatically before expiry.
Common issuers include ACME CAs like Let’s Encrypt, HashiCorp Vault, Venafi, and self-signed or CA-based internal issuers — covering both public and private certificate sources.
Yes. cert-manager automatically renews certificates before they expire and updates the corresponding Kubernetes secret, so workloads always have a valid certificate.
cert-manager operates within a single cluster. It doesn’t provide a unified inventory across clusters and clouds, risk scoring, ownership mapping, or blast-radius analysis — capabilities you need to manage certificates at the organization level.
You need a layer that reads cert-manager resources and secrets across all clusters and consolidates them — alongside non-Kubernetes certificates — into a single inventory.
No. MachineCert complements cert-manager. cert-manager continues to automate in-cluster issuance, while MachineCert adds cross-cluster visibility, risk scoring, ownership, and estate-wide automation.
MachineCert discovers the certificates cert-manager manages across all your clusters, unifies them with the rest of your certificate estate, and layers on monitoring, risk, and impact analysis.
Keep learning

Related topics

Kubernetes certificate managementCerts in the cluster.mTLS automationService-to-service trust.ACME automationStandards-based issuance.Internal discoverySee cluster certs.For platform engineersMake TLS a non-event.Private CABacking cert-manager issuers.
See it in practice

See your cert-manager certs in one place.

Unify cert-manager certificates across every cluster with the rest of your certificate estate.

Book a demo