cert-manager vs Cloud Certificate Management

cert-manager (in-cluster) vs cloud-managed certificates (AWS ACM, GCP, Azure): which approach fits your Kubernetes TLS strategy?

kubernetessecuritytlscertificatescert manager

Back to Toolkit

Feature Matrix	cert-manager CNCF project that automates TLS certificate issuance and renewal inside Kubernetes via ACME, Vault, and CA issuers.	Cloud Certs (ACM / GCP / Azure) Cloud-managed certificate services that handle public TLS certs for load balancers and CDN — zero in-cluster ops.
Architecture cert-manager runs in your cluster; cloud certificate management is external to it.	In-cluster operator — issues and renews certs inside Kubernetes	Cloud-managed (AWS ACM, GCP Managed SSL, Azure App Service Certs)
Let's Encrypt / ACME cert-manager has native ACME/Let's Encrypt support. Cloud providers use their own CA or charge for public certs.
Internal / Private PKI cert-manager is far more flexible for internal certificate authorities and mTLS.	Yes — self-signed, CA issuers, Vault PKI integration	Limited — AWS Private CA (costly), GCP Private CA
Kubernetes Secret Integration cert-manager certs are immediately available as K8s Secrets. Cloud certs need the aws-load-balancer-controller or similar.	Native — stores cert in Kubernetes TLS Secret, auto-mounts	Requires sync (AWS ACM doesn't export certs as K8s Secrets without extra tooling)
Wildcard Certificates Both support wildcards. cert-manager requires a DNS provider integration for DNS-01 challenges.	Yes (DNS-01 ACME challenge)	Yes (AWS ACM, GCP)
Automatic Renewal Both auto-renew. Cloud providers are zero-ops; cert-manager requires the operator to keep running.	Yes — renews at 2/3 of cert duration (e.g. day 60 for a 90-day Let's Encrypt cert)	Yes — cloud providers handle renewal transparently
Cost Let's Encrypt via cert-manager is free. AWS ACM public certs are free on ALB. AWS Private CA is expensive.	Free (Let's Encrypt) or Vault PKI costs	Free for public certs on ALB/CloudFront (AWS ACM). Private CA: $400/month
Operational Complexity Cloud certificate management requires almost no operational overhead once configured.	Medium — CRD setup, issuer config, DNS provider credentials	Low — managed by cloud provider
Portability cert-manager is cloud-agnostic. Cloud certs only work on that cloud's managed services.	High — works on any Kubernetes, any cloud	Low — tied to cloud provider's load balancer / CDN
mTLS / Service-to-Service cert-manager is the standard choice for mTLS in service meshes. Cloud certificate management doesn't cover east-west traffic.	Excellent — issues per-service certs, integrates with Istio/Linkerd	Not designed for this

Overview

The cert-manager vs cloud certificate management decision comes down to where your TLS terminates and what kind of certificates you need. Cloud certificate management (AWS ACM, GCP Managed SSL, Azure managed certs) is the right answer for public-facing TLS that terminates at a load balancer or CDN — it's zero-ops and free for public certificates on AWS ALB and CloudFront. cert-manager is the right answer for everything else: internal PKI, mTLS between services, wildcard certs for non-AWS endpoints, and any cert that needs to live inside a Kubernetes Secret.

Where cert-manager Wins

cert-manager wins for internal certificate management and mTLS. If you run a service mesh (Istio, Linkerd), cert-manager issues the per-service certificates that encrypt east-west traffic — cloud certificate management doesn't touch this. For internal services that don't go through a public load balancer, cert-manager with a self-signed CA or Vault PKI is the only viable option. It also wins for multi-cloud and on-premises deployments where you're not tied to a specific cloud's certificate service, and for Let's Encrypt certs on non-AWS endpoints.

Where Cloud Certificate Management Wins

Cloud certificate management wins for public-facing TLS at the edge. AWS ACM certificates are free, auto-renewing, and require zero in-cluster ops when used with ALB or CloudFront. You don't run any software, there's no Certificate CRD to manage, and there's no risk of the cert-manager pod going down and blocking a renewal. For organizations on a single cloud with standard public HTTPS endpoints on managed load balancers, cloud certs eliminate an entire class of operational complexity. ACM also integrates directly with Route 53 for automatic DNS validation of wildcard certificates, eliminating the need to manage DNS-01 challenge records manually.

Migration & Switching Cost

Moving from cloud certs to cert-manager requires installing cert-manager, configuring issuers (ACME DNS-01 for wildcards or HTTP-01 for per-domain), and updating your Ingress annotations to reference Certificate resources instead of ACM ARNs. Plan for 1–2 days. Moving from cert-manager to cloud certs requires moving TLS termination to your load balancer (if it isn't already), removing cert-manager CRDs from your Ingress, and provisioning certs in ACM/GCP. The two approaches can coexist — cloud certs for public endpoints, cert-manager for internal mTLS.

Final Verdict

Use cloud certificate management (AWS ACM) for public HTTPS on load balancers — it's free, zero-ops, and auto-renewing. Use cert-manager for everything else: internal services, mTLS in a service mesh, wildcard certs on non-managed endpoints, and private PKI. Most production Kubernetes platforms use both: cloud certs at the edge, cert-manager for east-west traffic.

Feature Matrix

cert-manager

CNCF project that automates TLS certificate issuance and renewal inside Kubernetes via ACME, Vault, and CA issuers.

Cloud Certs (ACM / GCP / Azure)

Cloud-managed certificate services that handle public TLS certs for load balancers and CDN — zero in-cluster ops.

Architecture

cert-manager runs in your cluster; cloud certificate management is external to it.

In-cluster operator — issues and renews certs inside Kubernetes

Cloud-managed (AWS ACM, GCP Managed SSL, Azure App Service Certs)

Let's Encrypt / ACME

cert-manager has native ACME/Let's Encrypt support. Cloud providers use their own CA or charge for public certs.

Internal / Private PKI

cert-manager is far more flexible for internal certificate authorities and mTLS.

Yes — self-signed, CA issuers, Vault PKI integration

Limited — AWS Private CA (costly), GCP Private CA

Kubernetes Secret Integration

cert-manager certs are immediately available as K8s Secrets. Cloud certs need the aws-load-balancer-controller or similar.

Native — stores cert in Kubernetes TLS Secret, auto-mounts

Requires sync (AWS ACM doesn't export certs as K8s Secrets without extra tooling)

Wildcard Certificates

Both support wildcards. cert-manager requires a DNS provider integration for DNS-01 challenges.

Yes (DNS-01 ACME challenge)

Yes (AWS ACM, GCP)

Automatic Renewal

Both auto-renew. Cloud providers are zero-ops; cert-manager requires the operator to keep running.

Yes — renews at 2/3 of cert duration (e.g. day 60 for a 90-day Let's Encrypt cert)

Yes — cloud providers handle renewal transparently

Cost

Let's Encrypt via cert-manager is free. AWS ACM public certs are free on ALB. AWS Private CA is expensive.

Free (Let's Encrypt) or Vault PKI costs

Free for public certs on ALB/CloudFront (AWS ACM). Private CA: $400/month

Operational Complexity

Cloud certificate management requires almost no operational overhead once configured.

Medium — CRD setup, issuer config, DNS provider credentials

Low — managed by cloud provider

Portability

cert-manager is cloud-agnostic. Cloud certs only work on that cloud's managed services.

High — works on any Kubernetes, any cloud

Low — tied to cloud provider's load balancer / CDN

mTLS / Service-to-Service

cert-manager is the standard choice for mTLS in service meshes. Cloud certificate management doesn't cover east-west traffic.

Excellent — issues per-service certs, integrates with Istio/Linkerd

Not designed for this