Learn · Modern Infrastructure

Managing certificates in Kubernetes.

By Updated

Kubernetes runs on TLS — ingress termination, mutual TLS between services, and secrets full of certificates. Understanding how certificates flow through a cluster is key to keeping it secure and online.

Try a free domain scan How it works
9 min readKubernetes
Certificates in Kubernetes
IngressTLS termination
ServicesmTLS identity
Secretscert storage
cert-managerautomation
Definition

Kubernetes certificate management is handling the TLS certificates used inside a cluster — for ingress, service-to-service mutual TLS, and secrets — including their issuance, storage, rotation, and renewal, typically automated with tools like cert-manager.

How it works

Certificates flow through
the whole cluster.

1
Ingress TLS

Ingress controllers terminate TLS using certificates stored as secrets.

2
Service mTLS

Service meshes issue certs so services authenticate each other.

3
Secrets

Certificates and keys live in Kubernetes secrets, mounted to pods.

4
cert-manager

Automates issuance and renewal from issuers and CAs.

Where certs live

Certificates are
everywhere in K8s.

From the edge to service-to-service traffic, certificates are woven through Kubernetes — and they rotate far more often than traditional certs.

Ingress controllers

NGINX, Traefik, and others terminate external TLS using certificate secrets.

Kubernetes secrets

Certificates and private keys are stored as secrets and mounted into pods.

Service mesh

Istio, Linkerd, and others assign certificate identities for mutual TLS.

cert-manager

The de facto tool for automating issuance and renewal inside clusters.

Common challenges

Kubernetes makes certs
fast-moving and hidden.

High churn

Certs rotate constantly as pods and services come and go.

Cluster blind spots

Cluster certs rarely appear in central inventories.

mTLS sprawl

Service-mesh identities multiply with every service.

Multi-cluster

Tracking certs across many clusters is hard by hand.

Secret exposure

Mismanaged certificate secrets are a security risk.

Automation needed

Manual handling can’t keep pace with the cluster.

FAQ

Kubernetes certificates,
answered.

Certificates secure ingress (external TLS termination), enable mutual TLS between services (often via a service mesh), and are stored in Kubernetes secrets that are mounted into pods. They’re fundamental to securing cluster traffic.
cert-manager is the most widely used tool for automating certificate management in Kubernetes. It requests certificates from configured issuers (such as Let’s Encrypt or a private CA), stores them as secrets, and renews them automatically.
An ingress controller terminates incoming TLS connections using a certificate stored in a Kubernetes secret. cert-manager typically issues and renews that certificate so the ingress always serves a valid cert.
Mutual TLS is when both services in a connection present certificates to authenticate each other. Service meshes like Istio and Linkerd assign certificate identities to workloads to enable mTLS automatically.
Cluster certificates rotate frequently, are spread across namespaces and clusters, live inside secrets, and rarely appear in centralized inventories — making them easy to lose track of despite their importance.
A discovery agent that reads cert-manager resources and certificate secrets across clusters surfaces Kubernetes certificates into a central inventory alongside the rest of your estate.
cert-manager automates issuance and renewal within a cluster, but it doesn’t give you a unified, cross-cluster inventory, risk scoring, ownership, or blast-radius analysis — which is where a platform layer adds value.
MachineCert discovers certificates across clusters — including cert-manager and service-mesh certs — unifies them with public, cloud, and internal certificates, and adds monitoring, risk scoring, and automated renewal in one place.
Keep learning

Related topics

cert-managerKubernetes cert automation.mTLS automationTrust between services.Workload identityHow workloads authenticate.Internal discoverySee cluster certificates.For platform engineersMake TLS a non-event.Machine identity managementThe identity layer.
See it in practice

See your Kubernetes certificates.

Discover cert-manager and service-mesh certificates across clusters in one unified inventory.

Book a demo