Managed Certificates
TLS lifecycle, certificate renewal, and internal PKI as a supporting infrastructure add-on
Managed Certificates is a supporting infrastructure add-on for teams that need certificate hygiene across public services, internal APIs, Kubernetes ingress, service meshes, databases, runners, or delivery platforms. Assistance focuses on the operating model: who approves certificates, how renewal works, where private keys live, what gets monitored, and how rollout failures are reversed.
Best-fit use cases#
What Assistance operates#
Certificate trust is shared responsibility
Assistance can operate the certificate lifecycle inside the agreed boundary. Your team remains responsible for domain ownership approvals, application trust-store behavior, business-specific identity policy, and any compliance attestations not included in the engagement.
Supported patterns#
- Public certificates through Let's Encrypt or commercial certificate authorities
- ACME HTTP-01 and DNS-01 workflows
- cert-manager for Kubernetes ingress and internal services
- HashiCorp Vault PKI for internal certificate issuance
- Internal root and intermediate CA design where justified
- mTLS for service-to-service communication
- Load balancer, reverse proxy, GitLab, registry, database, and internal API certificates
- Java keystore, PKCS#12, PEM, and legacy application distribution needs
Management process#
1. Certificate assessment#
We inventory certificates, issuers, domains, expiry windows, validation methods, private-key locations, consumers, and current incident history.
2. Lifecycle design#
We define issuer choices, CA hierarchy where needed, DNS dependencies, renewal windows, monitoring, access controls, and rollout responsibility.
3. Automation and rollout#
Assistance configures cert-manager, Vault PKI, ACME, provider integrations, or application-specific delivery workflows, then documents rollback and recovery steps.
4. Operate and review#
We monitor certificate health, handle renewals inside the agreed boundary, review expiring or risky certificates, and coordinate DNS or platform changes.
Self-signed, internal CA, and public CA#
Related add-ons#
- Managed DNS — DNS validation, delegated zones, and provider automation for certificate issuance
- Managed K3s — cert-manager and ingress certificates for lightweight Kubernetes environments
- Managed GitLab — GitLab web, registry, SSH, and runner callback certificates
- Managed Prometheus — Certificate expiry and endpoint monitoring
Getting started#
Request a certificate assessment. We will review certificate inventory, renewal risks, DNS dependencies, internal PKI needs, and rollout boundaries before proposing scope.
Request certificate assessment →