cert-manager Automates Certificate Lifecycle. The Certificates Carry No Governance Policy.
by Nick Clark | Published March 28, 2026
cert-manager automates TLS certificate lifecycle management in Kubernetes, handling issuance, renewal, and rotation through integration with certificate authorities like Let's Encrypt, Vault, and Venafi. The automation removes significant operational burden. But the certificates cert-manager manages carry identity and encryption capability. They do not carry governance policy. A valid certificate enables encrypted communication. It does not enforce what that communication is allowed to contain or how it must be governed. The gap is between certificate automation and cryptographic governance.
cert-manager's Kubernetes-native certificate automation with multiple CA integrations is essential infrastructure. The gap described here is about what certificates carry, not about lifecycle management.
Certificates authenticate, they do not govern
A TLS certificate issued by cert-manager proves the identity of a service and enables encrypted communication. But the certificate does not carry policy about what operations the service can perform, what data it can access, or what governance constraints apply to its communications. The certificate says who is communicating. It does not govern the communication.
Rotation without governance evolution
cert-manager rotates certificates before expiration. The new certificate carries the same identity and the same absence of governance policy. Rotation addresses certificate freshness. It does not address governance evolution. The governance requirements for a service may change over time, but the certificate carries no governance to evolve.
What cryptographic governance provides
Cryptographic governance would attach signed policy references to certificates or alongside them, specifying the governance constraints that apply to the certified identity. Certificate rotation would include governance policy update. Each communication would be validated not just for identity but for governance compliance. cert-manager's automation would extend to governance lifecycle alongside certificate lifecycle.
