Infrastructure

Managed Certificates

TLS lifecycle, certificate renewal, and internal PKI as a supporting infrastructure add-on


Managed Certificates is a supporting infrastructure add-on for teams that need certificate hygiene across public services, internal APIs, Kubernetes ingress, service meshes, databases, runners, or delivery platforms. Assistance focuses on the operating model: who approves certificates, how renewal works, where private keys live, what gets monitored, and how rollout failures are reversed.

Best-fit use cases#

Use caseWhy managed certificates fit
Expiry incidents keep recurringInventory, renewal alerts, automation, and runbooks reduce surprise outages
Kubernetes TLS needs ownershipcert-manager issuers, ingress certificates, and secret rotation need a clear platform owner
Internal services need encryptionInternal PKI or Vault PKI can provide service identities without relying on manual self-signed certificates
DNS validation is fragileACME DNS-01 flows require reliable provider access and change control
Legacy apps need certificate formatsJava keystores, PKCS#12, PEM bundles, and custom rollout workflows need operational handling

What Assistance operates#

AreaIncluded responsibility
AssessmentCertificate inventory, expiry dates, issuers, trust chains, domain validation method, private-key handling, and ownership gaps
IssuancePublic CA, internal CA, ACME, cert-manager, Vault PKI, or custom issuance workflows where scoped
RenewalRenewal windows, automation, alerting, rollout procedure, rollback notes, and evidence checks
DistributionKubernetes secrets, Vault, load balancers, reverse proxies, application stores, or encrypted delivery channels
SecurityKey storage recommendations, CA hierarchy, certificate policies, mTLS guidance, and access control review
MonitoringCertificate expiry dashboards, alerts, critical endpoint checks, and escalation notes

Supported patterns#

  • Public certificates through Let's Encrypt or commercial certificate authorities
  • ACME HTTP-01 and DNS-01 workflows
  • cert-manager for Kubernetes ingress and internal services
  • HashiCorp Vault PKI for internal certificate issuance
  • Internal root and intermediate CA design where justified
  • mTLS for service-to-service communication
  • Load balancer, reverse proxy, GitLab, registry, database, and internal API certificates
  • Java keystore, PKCS#12, PEM, and legacy application distribution needs

Management process#

1. Certificate assessment#

We inventory certificates, issuers, domains, expiry windows, validation methods, private-key locations, consumers, and current incident history.

2. Lifecycle design#

We define issuer choices, CA hierarchy where needed, DNS dependencies, renewal windows, monitoring, access controls, and rollout responsibility.

3. Automation and rollout#

Assistance configures cert-manager, Vault PKI, ACME, provider integrations, or application-specific delivery workflows, then documents rollback and recovery steps.

4. Operate and review#

We monitor certificate health, handle renewals inside the agreed boundary, review expiring or risky certificates, and coordinate DNS or platform changes.

Self-signed, internal CA, and public CA#

OptionBest forNotes
Public CABrowser-facing sites, public APIs, and externally trusted endpointsUsually ACME or commercial CA; domain validation and DNS access must be reliable.
Internal CAInternal APIs, databases, service meshes, and private platformsRequires trust-store management and a clear CA ownership model.
Self-signedTemporary development or isolated legacy casesUseful sparingly; operational risk increases without inventory and renewal discipline.
  • Managed DNS — DNS validation, delegated zones, and provider automation for certificate issuance
  • Managed K3s — cert-manager and ingress certificates for lightweight Kubernetes environments
  • Managed GitLab — GitLab web, registry, SSH, and runner callback certificates
  • Managed Prometheus — Certificate expiry and endpoint monitoring

Getting started#