Skip to main content
JobCannon
All skills
πŸ”

Cert Manager & ACME

Automate SSL/TLS certificate lifecycle on Kubernetes with Let's Encrypt

β¬’ TIER 2Tech
πŸ’°
+$20k-
Salary impact
⏱
3 months
Time to learn
πŸ“Š
Medium
Difficulty
πŸ‘₯
β€”
Careers
At a glance

Cert Manager is the Kubernetes community standard for automating X.509 certificate lifecycle. ACME (Automated Certificate Management Environment) is the protocol cert-manager uses to talk to Let's Encrypt (free) or other CAs. Core use: automatic renewal before expiration, multi-cert environments, wildcard certificates. Mastery takes 2-3 months for DevOps engineers. Typical salary impact: $15-30k for platform engineers who own cert ops.

What is Cert Manager & ACME

Cert-manager is the Kubernetes standard for automating X.509 certificate management. Never manually renew SSL certs again. Integrated with Ingress for transparent HTTPS. Boost: +$20k-$40k

πŸ”§ TOOLS & ECOSYSTEM
cert-manager Kubernetes operatorLet's Encrypt ACMEKubernetes manifests (YAML)OpenSSL (certificate inspection)Helm charts (deployment)Automated renewal schedulingIssuer/ClusterIssuer resourcesDNS-01 challenge validation

πŸ’° Salary by region

RegionJuniorMidSenior
πŸ‡ΊπŸ‡ΈUSA$70k$130k$185k
πŸ‡¬πŸ‡§UKΒ£55kΒ£105kΒ£155k
πŸ‡ͺπŸ‡ΊEU€60k€115k€165k
πŸ‡¨πŸ‡¦CANADAC$85kC$155kC$220k

πŸŽ“ Certifications

Kubernetes Certification (CKA), cert-manager section→Let's Encrypt Documentation→JetStack cert-manager Academy→

βš– Compare with

Ci Cd PipelinesInfrastructure As Code

❓ FAQ

β–ΆWhat's cert-manager and why not just buy certificates?
Cert-manager automates renewal so you never forget. Bought certs expire in 1-3 years; you must manually renew. Let's Encrypt certs expire in 90 days but auto-renew. Cert-manager handles both. On Kubernetes, cert-manager integrates with Ingress (automagically sets TLS) and integrates with Let's Encrypt ACME.
β–ΆIs Let's Encrypt free really free?
Yes, fully free (donated by EFF, Mozilla, etc.). Rate-limited: 50 certificates per domain per week. Perfect for most teams. Wildcard certs also free. Downside: no phone support, basic validation only. Enterprise CAs (DigiCert, Entrust) cost $200-1000/year but offer phone support and higher validation.
β–ΆHow often does cert-manager renew certificates?
Default: renew 30 days before expiration. Let's Encrypt certs expire 90 days after issue, so renewal happens at day ~60. You can customize this (earlier renewal for peace of mind). Failed renewals auto-retry. If manual intervention needed, cert-manager sends alerts.
β–ΆCan cert-manager manage non-Kubernetes certificates?
Not natively. Cert-manager runs as Kubernetes operator; it manages certs as K8s resources. For non-K8s apps, use cert-manager to generate cert (stored as Secret), then manually copy to app server. Or use Vault (alternative CA) for broader infrastructure.
β–ΆWhat's the difference between HTTP-01 and DNS-01 challenges?
HTTP-01: ACME server validates by accessing .well-known/acme-challenge/{token} on your domain. Requires public HTTP access. Faster, simpler. DNS-01: ACME server checks DNS TXT record for token. Requires DNS API access. Enables wildcard certs, works behind firewalls. Pick based on your setup; most teams use HTTP-01.
β–ΆHow do I debug a failed certificate renewal?
Check cert-manager logs: kubectl logs -n cert-manager deploy/cert-manager. Look for ACME challenge failures. Common: DNS misconfiguration, firewall blocking HTTP-01, rate limits hit. Inspect Certificate resource: kubectl describe cert <name>. View Issuer status. Most failures = network connectivity, not cert-manager bugs.
β–ΆWhat salary jump for cert-manager expertise?
Platform engineer ($100-130k) β†’ cert-manager + PKI specialist ($130-160k). Rare skill: only 30% of K8s teams automate certs fully. Managing certs for 500+ microservices = premium compensation. Senior (architecture): $160-200k.
🎯

Not sure this skill is for you?

Take a 10-min Career Match β€” we'll suggest the right tracks.

Find my best-fit skills β†’

Find your ideal career path

Skill-based matching across 2,536 careers. Free, ~10 minutes.

Take Career Match β€” free β†’
Browse more:All skillsCareer libraryPersonality testsMethodology