cert-manager provides a Kubernetes operator for automating management of X.509 certificates originally developed by Jetstack.



Issuers define sources from which certificates can be obtained. There are a number of types:

  • selfSigned specifies a self-signed CA. The self-signed CA certificate can be generated.
  • acme specifies an ACME-compatible endpoint and a solver configuration for the ACME challenge.
  • ca specifies a secret containing a certificate from which issued certificates will be chained.
  • vault specifies a HashiCorp Vault (Private) CA
  • venafi allows using Venafi Cloud as a CA.


The Issuer object is namespace-scoped. To issue certificates across all namespaces, use the ClusterIssuer instead.


Certificates define desired X.509 certificates which should be automatically renewed.


CertificateRequests are issued by cert-manager in response to the creation, edit or approaching expiration of a Certificate. They contain the X.509 certificate request that will be sent to the issuer. Typically these are to be consumed and manipulated by machines, not humans.


Orders are used to track the lifecycle of an ACME certificate "order". One Order will be created for each CertificateRequest referencing an ACME issuer.


Challenges are used to represent ACME challenges required for the authorisation process confirming ownership of a given DNS name.


The Ingress Shim component automates creation of Certificates for Ingress resources via an annotation specifying the Issuer to use to obtain certificates.