Built for Kubernetes
The pre-built Kubernetes TLS secret template ships in your CertKit account. No scripting required.
Kubernetes terminates TLS from a secret of type kubernetes.io/tls,
referenced by name from your ingress. When the certificate renews, the secret keeps
holding the old one until someone rebuilds it from the new cert and key.
Every 47 days.
In every namespace, in every cluster.
CertKit centralizes certificate issuance and renewal, then applies the renewed certificate to your TLS secrets via the CertKit Agent and kubectl. Ingresses and workloads that reference the secret pick up the change on their own.
The pre-built Kubernetes TLS secret template ships in your CertKit account. No scripting required.
The CertKit Agent applies the renewed certificate and key to the TLS secret with kubectl, as a create-or-replace, so the same deployment works whether the secret exists yet or not. Ingress controllers watch their secrets, so the rollover happens without a restart, a redeploy, or a dropped connection.
The pre-built template ships with your CertKit account. Set the secret name and namespace once. CertKit handles every renewal after that.
The manual process, if you want to do it yourself:
kubectl create secret tls my-tls --cert=tls.crt --key=tls.key -n my-namespace.
The certificate file needs the full chain, leaf first.
spec.tls with the covered hosts and the secretName.
The ingress controller picks it up from there.
kubectl create secret tls fails with "already exists" the second time.
The working pattern is create with --dry-run=client -o yaml piped to
kubectl apply.
Every one of these steps is manual, and Kubernetes won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, per secret, per namespace, per cluster. Miss one copy and that ingress serves an expired certificate while the others look fine.
At 47 days, automation is the only sustainable way to run ingress certificates. Here's how CertKit does it.
Your cluster CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ ┌─────────────┐ │ │ │ │ │ │ │CertKit Agent│◄─┼─────┤ Issue & Renew │◄──►│ │ │ └──────┬──────┘ │ │ Certificates │ │ │ │ │ kubectl │ │ ┌───┐ └─────────────┘ │ ▼ │ └───────────┬────│DNS│ │ ┌──────────────┐ │ │ └───┘ │ │ TLS secret │ │ │ │ │ [x] Applied │ │ │ │ │ Ingress │ │ ◄───────────────┘ │ │ [x] Rolled │ │ Verify │ └──────────────┘ │ └───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. The agent runs on a host with a kubectl context for the cluster and applies the secret from outside. Nothing runs inside the cluster, no controller to deploy, no CRDs to install, no in-cluster DNS credentials.
Using CertKit to manage our public-facing SSL certificates has been an excellent decision. The platform is user-friendly, certificates are easy to deploy, and the automation agent streamlines the entire certificate lifecycle, eliminating concerns around shortening certificate validity periods.
Chris Austin, IT Engineer, Buckman
cert-manager is the standard in-cluster answer, and inside one cluster it's a good one. Its trade-offs show up at the edges: HTTP-01 solvers need the cluster reachable from the internet, DNS-01 means DNS provider credentials stored as cluster secrets, and each cluster becomes its own certificate silo with its own issuers to configure and its own controller to keep upgraded. Private clusters, and there are a lot of private clusters, can't answer HTTP-01 at all.
The bigger issue is that the cluster is rarely the whole estate. The same organizations run IIS, appliances, and load balancers that cert-manager will never touch. CertKit issues via delegated DNS validation and deploys the same renewed certificate to the TLS secret and to everything outside the cluster, from one account, with no ACME machinery to operate anywhere.
Most infrastructures have more than one place where certificates live: the nginx and Apache servers that never made it into the cluster, self-hosted apps like GitLab, and certificates pushed to Azure Key Vault for cloud services. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.