An expired certificate means an outage. Poorly managed certificates are a ticking time bomb — most organizations have certificates scattered across dozens of servers without central tracking. When a certificate expires on a production load balancer on a Friday evening, it is too late for manual renewal. Automating certificate lifecycle is an investment that pays off at the first prevented outage.
cert-manager in Kubernetes¶
# Installation
helm install cert-manager jetstack/cert-manager --set installCRDs=true
# Let's Encrypt issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-key
solvers:
- http01:
ingress:
class: nginx
cert-manager automates the entire lifecycle — requesting, validating, storing in a Kubernetes Secret, and automatic renewal before expiration. It supports Let’s Encrypt, Vault, Venafi, and other certificate authorities. After configuring a ClusterIssuer, just add the cert-manager.io/cluster-issuer: letsencrypt annotation to an Ingress and the certificate is created automatically.
Monitoring¶
# Prometheus alert
- alert: CertificateExpiringSoon
expr: certmanager_certificate_expiration_timestamp_seconds - time() < 7 * 24 * 3600
labels:
severity: warning
annotations:
summary: "Certificate {{ $labels.name }} expires in less than 7 days"
Expiration monitoring is the second critical layer. Prometheus metrics from cert-manager enable alerting with sufficient lead time. For certificates outside Kubernetes, use tools like ssl-cert-check or the blackbox exporter, which tests TLS handshakes on endpoints.
Outside Kubernetes¶
For servers without cert-manager, automate renewal via certbot with a cron job. For internal PKI, consider HashiCorp Vault as a certificate authority — Vault issues short-lived certificates (hours instead of months), minimizing the impact of compromise.
Key Takeaway¶
cert-manager for Kubernetes, certbot for standalone servers, Prometheus for expiration monitoring. Automate renewal and monitor expiration — manual certificate management does not scale.