kubernetes
cert-manager Certificate Generator
Generate cert-manager Certificate and Issuer/ClusterIssuer YAML for Let's Encrypt TLS certificates. Supports HTTP-01 and DNS-01 challenges.
cert-manager on Kubernetes
cert-manager automates TLS certificate issuance and renewal from Let's Encrypt (and other ACME CAs) via Kubernetes CRDs.
How it works
Certificate CR created
↓
cert-manager creates CertificateRequest
↓
ACME challenge (HTTP-01 or DNS-01)
↓
Let's Encrypt verifies domain
↓
Certificate issued → stored in Secret
↓
cert-manager renews automatically (30 days before expiry)Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml# Verify kubectl get pods -n cert-manager ```
Check Certificate Status
kubectl get certificate -n default
kubectl describe certificate my-app-tls -n default
kubectl get secret my-app-tls-secret -n defaultUse in Ingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts: [app.example.com]
secretName: my-app-tls-secretKey Terms
Full glossary →kubeadm
A tool for bootstrapping Kubernetes clusters. It automates the setup of control plane components and joining worker nodes, following Kubernetes best practices.
etcd
A distributed key-value store used by Kubernetes to store all cluster state and configuration. etcd is the single source of truth for the entire cluster.
cert-manager
A Kubernetes controller for automating TLS certificate management. cert-manager can issue certificates from Let's Encrypt, Vault, or internal CAs, and automatically renews them.
Helm
A package manager for Kubernetes. Helm charts bundle Kubernetes manifests into reusable packages with configurable values, versioned and published to chart repositories.
Frequently Asked Questions
What is the difference between ClusterIssuer and Issuer?
A ClusterIssuer is cluster-scoped — it can issue certificates for any namespace. An Issuer is namespace-scoped — it can only issue certificates within its own namespace. Use ClusterIssuer for most setups (one Issuer configuration serves all apps). Use Issuer if you need different ACME accounts or configurations per namespace.
HTTP-01 vs DNS-01 — which should I use?
HTTP-01 is simpler: cert-manager creates a temporary path (/.well-known/acme-challenge/...) on your Ingress that Let's Encrypt verifies. Requires your domain to be publicly accessible. DNS-01 adds a TXT record to your DNS — works for wildcard certificates and private/internal clusters, but requires API access to your DNS provider (Cloudflare, Route53, etc.).
How do I use the generated TLS certificate in my Ingress?
Reference the secretName in your Ingress TLS section: spec.tls[0].secretName: my-app-tls-secret. Also add the annotation: cert-manager.io/cluster-issuer: letsencrypt-prod. cert-manager will automatically watch the Ingress and provision/renew the certificate.
How long does it take for a certificate to be issued?
HTTP-01: typically 30–90 seconds after applying the Certificate. DNS-01: depends on DNS propagation — usually 1–5 minutes. Monitor with: kubectl describe certificate my-app-tls -n default. The status will show 'Certificate is up to date and has not expired' when ready.
Related Calculators
Related Guides
kubernetes
CI/CD for Kubernetes with GitHub Actions: A Complete Guide (2026)
A practical walkthrough of building a full GitHub Actions pipeline that builds a container image, pushes it to a registry, and deploys to Kubernetes — with secrets handling, rollback, and Helm support.
kubernetes
ArgoCD vs Flux: Choosing a GitOps Tool for Kubernetes in 2026
A no-fluff comparison of ArgoCD and Flux for GitOps on Kubernetes — covering architecture, UI, Helm support, multi-tenancy, and when to pick each one.
kubernetes
Hetzner vs DigitalOcean for Kubernetes in 2026: An Honest Comparison
Hetzner is 3–5× cheaper than DigitalOcean for equivalent Kubernetes compute. But DO has managed K8s, better global coverage, and a larger app marketplace. Here's when each is the right choice.