Skip to main content

Certificate add-on

TLS lifecycle without expiry-driven incidents

Assistance manages certificate issuance, renewal, rollout, internal PKI, and certificate-health visibility for services that need reliable TLS inside a broader platform or services engagement.

Public CAs, internal PKI, cert-manager, Vault, and mTLS support. Scope confirmed before operations begin.

Service playbook

From problem to operating evidence

Main content is structured like a case study: context first, scoped work next, then the operating changes and evidence a team can use after handoff.

Service briefBest-fit use casesWhat Assistance operatesSupported patternsManagement process

Managed Certificates is a supporting infrastructure add-on for teams that need certificate hygiene across public services, internal APIs, Kubernetes ingress, service meshes, databases, runners, or delivery platforms. Assistance focuses on the operating model: who approves certificates, how renewal works, where private keys live, what gets monitored, and how rollout failures are reversed.

Case-study lens

Scoped

Problem, responsibility, and handoff boundaries before implementation.

Evidence

Dashboards, runbooks, reviews, and operating records over borrowed logos.

Outcomes

Conservative summaries focused on observable operational improvement.

EvidenceSection 01

Best-fit use cases

Runbooks, dashboards, reviews, and handoff material make the work auditable.

Use caseWhy managed certificates fit
Expiry incidents keep recurringInventory, renewal alerts, automation, and runbooks reduce surprise outages
Kubernetes TLS needs ownershipcert-manager issuers, ingress certificates, and secret rotation need a clear platform owner
Internal services need encryptionInternal PKI or Vault PKI can provide service identities without relying on manual self-signed certificates
DNS validation is fragileACME DNS-01 flows require reliable provider access and change control
Legacy apps need certificate formatsJava keystores, PKCS#12, PEM bundles, and custom rollout workflows need operational handling
Operating modelSection 02

What Assistance operates

Responsibilities, response paths, and technical changes are made explicit before work starts.

AreaIncluded responsibility
AssessmentCertificate inventory, expiry dates, issuers, trust chains, domain validation method, private-key handling, and ownership gaps
IssuancePublic CA, internal CA, ACME, cert-manager, Vault PKI, or custom issuance workflows where scoped
RenewalRenewal windows, automation, alerting, rollout procedure, rollback notes, and evidence checks
DistributionKubernetes secrets, Vault, load balancers, reverse proxies, application stores, or encrypted delivery channels
SecurityKey storage recommendations, CA hierarchy, certificate policies, mTLS guidance, and access control review
MonitoringCertificate expiry dashboards, alerts, critical endpoint checks, and escalation notes

Assistance can operate the certificate lifecycle inside the agreed boundary. Your team remains responsible for domain ownership approvals, application trust-store behavior, business-specific identity policy, and any compliance attestations not included in the engagement.

OutcomeSection 03

Supported patterns

Expected changes are framed as practical operating improvements, not unsupported guarantees.

  • Public certificates through Let's Encrypt or commercial certificate authorities
  • ACME HTTP-01 and DNS-01 workflows
  • cert-manager for Kubernetes ingress and internal services
  • HashiCorp Vault PKI for internal certificate issuance
  • Internal root and intermediate CA design where justified
  • mTLS for service-to-service communication
  • Load balancer, reverse proxy, GitLab, registry, database, and internal API certificates
  • Java keystore, PKCS#12, PEM, and legacy application distribution needs
Operating modelSection 04

Management process

The section clarifies how production responsibilities change once the service is in place.

Assessment step

1. Certificate assessment

We inventory certificates, issuers, domains, expiry windows, validation methods, private-key locations, consumers, and current incident history.

Operating step

2. Lifecycle design

We define issuer choices, CA hierarchy where needed, DNS dependencies, renewal windows, monitoring, access controls, and rollout responsibility.

What changes

3. Automation and rollout

Assistance configures cert-manager, Vault PKI, ACME, provider integrations, or application-specific delivery workflows, then documents rollback and recovery steps.

Assessment step

4. Operate and review

We monitor certificate health, handle renewals inside the agreed boundary, review expiring or risky certificates, and coordinate DNS or platform changes.

Operating modelSection 05

Self-signed, internal CA, and public CA

Responsibilities, response paths, and technical changes are made explicit before work starts.

OptionBest forNotes
Public CABrowser-facing sites, public APIs, and externally trusted endpointsUsually ACME or commercial CA; domain validation and DNS access must be reliable.
Internal CAInternal APIs, databases, service meshes, and private platformsRequires trust-store management and a clear CA ownership model.
Self-signedTemporary development or isolated legacy casesUseful sparingly; operational risk increases without inventory and renewal discipline.
Next stepSection 06

Decision points and common questions are made explicit so follow-up work is scoped cleanly.

  • Managed DNS — DNS validation, delegated zones, and provider automation for certificate issuance
  • Managed K3s — cert-manager and ingress certificates for lightweight Kubernetes environments
  • Managed GitLab — GitLab web, registry, SSH, and runner callback certificates
  • Managed Prometheus — Certificate expiry and endpoint monitoring
Next stepSection 07

Getting started

Decision points and common questions are made explicit so follow-up work is scoped cleanly.

Request a certificate assessment. We will review certificate inventory, renewal risks, DNS dependencies, internal PKI needs, and rollout boundaries before proposing scope. Request certificate assessment →

Ready to get started?

Book a quote review or talk to an engineer.

Get pricing

Pricing

Flexible scopes available. if you need custom terms or bundled service pricing.

Per certificates
5/certificate/mo

Minimum 20 certificates — from 100 €/mo

One-time setup fee: 0 €

Automated certificate lifecycle management — issuance, renewal, and deployment. Supports Let's Encrypt, custom CAs, and enterprise PKI.

Pricing calculator

Select the services you need to estimate your monthly cost.

Databases

from 250 €/mo
from 220 €/mo
from 450 €/mo
from 550 €/mo
from 350 €/mo

Observability & Ops

from 175 €/mo
from 250 €/mo
from 200 €/mo
from 250 €/mo
from 120 €/mo
from 100 €/mo

Estimated monthly total

0 €/mo

Does not include server infrastructure costs (compute, storage, egress).

Talk to a senior engineer

Need a clearer path for Managed Certificates?

We'll help you understand fit, scope, pricing, and the fastest practical next step for your team.

No obligation • Senior engineer review • Recommendations grounded in your current stack