In Red Hat OpenShift Container Platform (OCP), cert-manager is the enterprise standard for automating cloud-native certificate management. It acts as a Kubernetes-native controller that simplifies the process of obtaining, renewing, and utilizing SSL/TLS certificates.

Instead of security teams manually tracking spreadsheet expiration dates, generating CSRs, and copying files into Secret keys, cert-manager turns certificates into declarative Custom Resources (CRDs). It continuously monitors your certificates and automatically handles renewals before they expire.

1. Core Concepts and Architecture

To use cert-manager inside OpenShift, you interact with three core custom resources:

• Issuer / ClusterIssuer: These resources represent the certificate authorities (CAs) that generate your certificates. An Issuer works only within a single namespace, while a ClusterIssuer is a global resource capable of signing certificates across the entire cluster.
• Certificate: A declarative request defining your desired certificate parameters (common name, DNS names, duration, and renewal thresholds). It references an Issuer or ClusterIssuer.
• Secret: The physical object generated by cert-manager once the certificate is successfully validated and issued. It contains the private key (tls.key) and the public certificate chain (tls.crt), which are instantly consumed by Ingresses, Routes, or pods.

2. Supported Certificate Authorities (Issuers)

OpenShift’s cert-manager integrates natively with a wide array of public and private certificate backends:

• Public CAs: Automates requests to ACME-compliant services like Let’s Encrypt or DigiCert using HTTP-01 or DNS-01 verification challenges.
• Internal Corporate CAs: Integrates via HashiCorp Vault, native CA files (using existing enterprise root/intermediate certificates), or Venafi to ensure alignment with corporate security frameworks.
• Self-Signed: Used for local development and sandbox environments where external trust chains aren’t necessary.

3. Native Integration with OpenShift Ingress and Routes

One of the most powerful aspects of cert-manager inside OpenShift is its Ingress and Route integration.

By leveraging the Cert-Manager Webhook, you don’t even need to write a Certificate manifest manually for every web application. Instead, you add a specific annotation to your OpenShift Route, and cert-manager automatically provisions and injects the certificate in the background.

Production Example: Securing a Route via Let’s Encrypt

Here is how an engineer configures automated SSL/TLS termination on a public application route.

Step A: Declare the ClusterIssuer (ACME/Let’s Encrypt)

This configuration tells cert-manager how to register with Let’s Encrypt and use an HTTP-01 challenge via the cluster router to prove domain ownership.

YAML

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: sre-team@mycompany.com
    privateKeySecretRef:
      name: letsencrypt-production-account-key
    solvers:
      - http01:
          ingress:
            ingressClassName: openshift-default

Step B: Annotate the OpenShift Route

When deploying your application, simply add the cert-manager.io/cluster-issuer annotation. The operator will catch this request, solve the ACME challenge, generate a Kubernetes TLS Secret, and attach it to the route automatically.

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: secure-web-app
  namespace: production-apps
  annotations:
    # This single line triggers the entire automation loop
    cert-manager.io/cluster-issuer: "letsencrypt-production"
spec:
  host: app.apps.prod-cluster.mycompany.com
  to:
    kind: Service
    name: web-app-service
  port:
    targetPort: http
  tls:
    termination: edge # Leverages the cert-manager certificate at the router layer

4. How to Install it in OCP

Historically, cert-manager had to be managed via community Helm charts. In modern OpenShift, Red Hat provides a fully supported, native operator.

1. Log into your OpenShift Web Console as a cluster administrator.
2. Navigate to Operators -> OperatorHub.
3. Search for Cert-manager Operator for Red Hat OpenShift.
4. Click Install (this provisions the operator and installs the controllers globally inside the openshift-cert-manager namespace).

Once installed, the operator automatically ensures that your control plane components have access to structured certificate automation, shifting the operational burden of certificate management away from SRE teams.