cert-manager

Security Plane
Security Suites
Source
Open
What is cert-manager?
cert-manager is a powerful and extensible X.509 certificate controller for Kubernetes and OpenShift workloads. It helps automate certificate issuance and renewal so certificates stay valid and up-to-date.

Profile

cert-manager is a Kubernetes-native certificate management controller that automates the issuance, renewal, and lifecycle management of TLS certificates across containerized workloads. Operating as a Cloud Native Computing Foundation graduated project, it has established itself as the industry standard solution for certificate automation in Kubernetes environments. The tool transforms certificate management from manual, error-prone administrative tasks into declarative, GitOps-compatible operations by treating certificates as first-class Kubernetes resources through Custom Resource Definitions. This approach eliminates operational bottlenecks associated with tracking expiration dates, coordinating manual renewals, and distributing certificates across distributed infrastructure, enabling organizations to scale their deployment velocity without proportionally increasing certificate management burden.

Focus

cert-manager addresses the fundamental challenge of managing TLS certificate lifecycles at cloud-native scale, where manual processes cannot match the velocity and distribution of containerized applications. The tool eliminates certificate-related outages by automating renewal workflows and providing continuous monitoring of certificate expiration states. Platform teams benefit from self-service certificate provisioning capabilities that remove manual intervention requirements, while development teams gain declarative certificate configuration aligned with standard Kubernetes workflows. Organizations operating under compliance requirements leverage cert-manager's approval policy mechanisms and audit trails to enforce certificate governance. The solution serves multi-tenant deployments, hybrid cloud environments, and organizations requiring consistent certificate management across diverse infrastructure without vendor lock-in to specific certificate authorities.

Background

cert-manager originated at Jetstack, a United Kingdom-based startup focused on Kubernetes and cloud-native infrastructure, specifically developed to simplify enterprise certificate lifecycle automation. Venafi acquired Jetstack in May 2020, maintaining the project's open-source development trajectory while providing commercial backing. CyberArk subsequently acquired Venafi for approximately $1.54 billion in October 2024, integrating machine identity management capabilities while preserving cert-manager's open-source governance. The project achieved Cloud Native Computing Foundation graduated status in November 2024, validating its maturity through comprehensive security audits and governance reviews. With over 450 contributors and more than 200 releases, cert-manager operates under Apache License 2.0 with transparent community governance through established CNCF structures and active maintainer collaboration.

Main features

Extensible certificate authority integration

cert-manager supports multiple certificate authorities through built-in and external issuer architectures, enabling organizations to select authorities matching operational and compliance requirements. Built-in issuers include ACME protocol support for Let's Encrypt and similar services, self-signed certificate generation for testing and bootstrapping, traditional CA issuers for internal PKI infrastructure, HashiCorp Vault integration, and cloud provider certificate services. The external issuer mechanism allows third-party developers to create custom issuers treated identically to built-in options, with known implementations including AWS Private Certificate Authority, Google Cloud Certificate Authority Service, Cloudflare Origin CA, and Active Directory Certificate Services, preventing vendor lock-in while supporting diverse deployment scenarios.

Automated certificate lifecycle management

The Certificate resource abstraction accepts human-readable specifications defining requested domains, validity duration, renewal behavior, and target issuers, automatically generating private keys and creating CertificateRequest resources for signing. Renewal operates on configurable timing parameters, defaulting to two-thirds through the certificate's validity period with customizable thresholds through renewBefore duration fields or renewBeforePercentage values. Private key rotation policies enable organizations to generate new keys with each renewal cycle, meeting security compliance requirements. The system continuously monitors certificate expiration status and triggers automated renewal without manual intervention, storing issued certificates in Kubernetes Secrets for consumption by applications and ingress controllers.

Ingress and gateway integration with challenge automation

The ingress-shim component automatically watches Ingress resources across clusters, creating corresponding Certificate resources when cert-manager annotations are detected, eliminating boilerplate configuration requirements. For ACME-based issuance, cert-manager implements HTTP01 challenges by automatically configuring ingress controllers to route verification tokens, and DNS01 challenges through integration with numerous DNS providers including Route53, CloudDNS, and Cloudflare, supporting wildcard certificates and internal domains. CNAME delegation enables organizations to delegate ACME challenge responsibility to less-privileged DNS zones following least-privilege principles. The system handles temporary self-signed certificate issuance during ACME processing, maintaining service availability while awaiting certificate authority responses.

Abstract pattern of purple and black halftone dots forming a wave-like shape on a black background.