Skip to content

cert-manager — Trivia & Interesting Facts

Surprising, historical, and little-known facts about cert-manager.

cert-manager was created because Let's Encrypt changed everything

cert-manager was created by James Munnelly at Jetstack in 2017, directly motivated by Let's Encrypt's launch in 2015. Before Let's Encrypt, SSL certificates cost $50-300/year each, and automating their renewal was rarely worth the effort. Free, automated certificates made a Kubernetes-native certificate manager both possible and necessary.

Let's Encrypt issues over 4 million certificates per day

Let's Encrypt, the most common issuer used with cert-manager, issues approximately 4 million certificates per day as of 2024. The project has issued over 4 billion certificates total since its launch. cert-manager is one of the primary clients driving this volume in Kubernetes environments.

Jetstack was acquired by Venafi largely because of cert-manager

Venafi, an enterprise certificate management company, acquired Jetstack in 2020. The acquisition was widely seen as primarily motivated by cert-manager's dominant position in Kubernetes certificate management. cert-manager remained open source, but Venafi integrated it into their commercial platform.

The ACME protocol was created by the EFF, and the name is a Looney Tunes reference

The ACME (Automatic Certificate Management Environment) protocol, which cert-manager uses to obtain certificates from Let's Encrypt, was created by the Electronic Frontier Foundation. The name is a playful reference to the ACME Corporation from Looney Tunes cartoons, which manufactured everything from anvils to rocket skates.

Certificate expiry has caused some of the most embarrassing outages

Expired certificates have caused outages at Microsoft (Teams, 2020), Spotify (2020), Equifax (contributed to the 2017 breach going undetected), and even Let's Encrypt itself (2021 root expiry). cert-manager exists precisely because humans are terrible at remembering to renew certificates before they expire.

cert-manager processes over 1 million Certificate resources in large clusters

In large Kubernetes deployments, cert-manager manages over a million Certificate custom resources across clusters. The controller was redesigned multiple times to handle this scale, including adding informer-based watches and rate-limited work queues to prevent the controller from overwhelming the Kubernetes API server.

DNS-01 challenges can prove domain ownership without exposing ports

cert-manager supports DNS-01 ACME challenges, which prove domain ownership by creating a specific DNS TXT record rather than responding to HTTP requests. This is the only way to obtain wildcard certificates from Let's Encrypt and works even for internal services that aren't reachable from the internet.

The cert-manager project was donated to the CNCF in 2022

cert-manager was accepted as a CNCF Sandbox project in November 2022, five years after its initial release. By that point, it was already installed in the majority of production Kubernetes clusters. The CNCF acceptance was more of a formalization than a launch — the project was already a de facto standard.

Self-signed CA certificates in dev environments cause a waterfall of trust issues

One of the most common cert-manager support questions involves self-signed CA certificates that work for TLS but break service-to-service communication because the CA isn't trusted by other pods. This "trust distribution" problem — getting every pod to trust the internal CA — has generated more GitHub issues than any other cert-manager topic.

cert-manager's trust-manager solves the "CA bundle distribution" problem

The trust-manager project, a companion to cert-manager, was created specifically to distribute CA trust bundles across Kubernetes namespaces. Before trust-manager, teams used init containers, volume mounts, or custom operators to distribute CA certificates — all of which were fragile and error-prone.