Skip to main content
Vietnam
AIMenta
c

cert-manager

by CNCF

Open-source CNCF Kubernetes add-on that automates TLS certificate provisioning, renewal, and rotation from Let's Encrypt, HashiCorp Vault, Venafi, and self-signed CAs for APAC Kubernetes platform teams.

Visit cert-manager (opens in new tab) Get a recommendation
AIMenta verdict
Recommended
5/5

"cert-manager is the open-source Kubernetes certificate manager for APAC platform teams — automated TLS certificate provisioning from Let's Encrypt and Vault. Best for APAC Kubernetes teams wanting automated certificate lifecycle management without manual rotation."

Features
7
Use cases
4
Watch outs
4
What it does

Key features

  • ACME/Let's Encrypt — HTTP-01 and DNS-01 challenge support for free public TLS certificates for APAC Kubernetes ingress
  • Vault PKI integration — internal CA certificate issuance via HashiCorp Vault PKI for APAC service TLS
  • Kubernetes CRD model — Certificate, Issuer, ClusterIssuer resources for declarative APAC certificate management
  • Ingress automation — automatic TLS provisioning for annotated Kubernetes Ingress resources
  • Automatic renewal — pre-expiry certificate renewal without manual intervention for APAC platform teams
  • Multiple issuers — Let's Encrypt, Vault, Venafi, AWS ACM PCA, Sectigo, and self-signed CA support
  • CNCF incubating — active CNCF project with wide APAC Kubernetes ecosystem adoption
When to reach for it

Best for

  • APAC Kubernetes platform teams eliminating manual TLS certificate management from APAC cluster operations
  • Engineering teams provisioning Let's Encrypt certificates for APAC Kubernetes Ingress without manual ACME challenges
  • APAC platform teams implementing automated internal service TLS via Vault PKI with short-lived certificate rotation
  • DevSecOps teams ensuring all APAC Kubernetes workloads have valid TLS certificates without certificate expiry incidents
Don't get burned

Limitations to know

  • ! cert-manager manages Kubernetes certificates only — APAC non-Kubernetes services (VMs, databases, load balancers) require separate certificate management solutions
  • ! Let's Encrypt rate limits — APAC platform teams with many sub-domains should plan domain structure to avoid Let's Encrypt certificate issuance rate limits
  • ! cert-manager webhook complexity — cert-manager installs admission webhook components that must be healthy for Kubernetes to create resources; webhook failures can block APAC cluster operations
  • ! Vault PKI integration requires operational Vault — APAC teams using Vault PKI with cert-manager must maintain Vault availability as a dependency for certificate renewal in APAC production clusters
Context

About cert-manager

cert-manager is an open-source CNCF Kubernetes add-on that provides APAC platform engineering teams with automated TLS certificate provisioning, renewal, and secret injection for Kubernetes workloads — eliminating manual certificate management from APAC Kubernetes operations by automatically obtaining, renewing, and distributing X.509 certificates from configured certificate authorities (Let's Encrypt, HashiCorp Vault PKI, Venafi, Sectigo, AWS ACM Private CA, and self-signed CAs) through native Kubernetes CRD resources.

cert-manager's Certificate resource model — where APAC platform teams declare the desired certificate (domain names, issuer reference, key algorithm, expiry duration) as a Kubernetes Certificate CRD, and cert-manager automatically provisions, stores in a Kubernetes Secret, and renews the certificate before expiry — automates the certificate lifecycle that APAC operations teams previously managed through manual certificate requests, calendar reminders, and PEM file distribution.

cert-manager's Let's Encrypt integration — supporting both HTTP-01 challenges (cert-manager temporarily exposes a well-known URL on the target domain for ACME validation) and DNS-01 challenges (cert-manager creates DNS TXT records using Cloudflare, Route53, Azure DNS, or other DNS providers for ACME validation) — enables APAC platform teams to obtain free, publicly-trusted TLS certificates for APAC Kubernetes ingress controllers and public services without commercial CA costs.

cert-manager's Vault PKI integration — where cert-manager uses Vault's PKI secrets engine to issue certificates from APAC organisations' internal CA chains, with configurable validity periods, key constraints, and CN/SAN restrictions — is the standard pattern for APAC Kubernetes service-to-service TLS: internal services receive short-lived certificates (24-hour validity) from an internal CA managed by Vault, auto-renewed by cert-manager, without exposing private keys to engineers.

cert-manager's Ingress integration — where cert-manager automatically provisions and attaches TLS certificates to Kubernetes Ingress resources annotated with `cert-manager.io/issuer` or `cert-manager.io/cluster-issuer` — enables APAC platform teams to configure TLS for Kubernetes Ingress resources by adding a single annotation, with cert-manager handling certificate provisioning, Kubernetes Secret creation, and renewal completely automatically.

Beyond this tool

Where this category meets practice depth.

A tool only matters in context. Browse the service pillars that operationalise it, the industries where it ships, and the Asian markets where AIMenta runs adoption programs.

Or browse All tools · Encyclopedia · Case studies · Rankings