Security

cert-manager Releases

Q: What does cert-manager do?

cert-manager automates TLS certificate lifecycle in Kubernetes. It obtains certificates from issuers (Let's Encrypt, Vault, Venafi, self-signed CA, etc.), stores them as Kubernetes Secrets, and renews them before expiry. It watches Certificate CRDs and Ingress/Gateway annotations to automatically provision and rotate certificates. It is the de facto standard for Kubernetes TLS management.

Q: Which Kubernetes versions does cert-manager support?

cert-manager supports the latest 4 Kubernetes minor versions. cert-manager 1.14+ supports K8s 1.26-1.31. cert-manager 1.15+ supports K8s 1.27-1.32. The project tests against these versions in CI. Older K8s versions may work but are not guaranteed. The main requirement is CRD v1 support (K8s 1.16+).

Q: How do I migrate from cert-manager API v1alpha2/v1beta1 to v1?

cert-manager v1.7+ removed v1alpha2 and v1beta1 API versions. All Certificate, Issuer, ClusterIssuer resources must use cert-manager.io/v1. If you are on an older version, update your manifests to use v1 API before upgrading cert-manager. The v1 API has been stable since cert-manager 1.0. Use cmctl convert to auto-migrate manifests.

Q: What ACME providers does cert-manager support?

cert-manager supports any ACME-compliant provider: Let's Encrypt (production + staging), ZeroSSL, Buypass, Google Trust Services, and any other ACME server. For DNS-01 challenges, it supports 20+ DNS providers (Route53, CloudFlare, Google Cloud DNS, Azure DNS, DigitalOcean, etc.) via built-in solvers or webhook solvers.

Q: How do I upgrade cert-manager safely?

Back up your Certificate, Issuer, and ClusterIssuer resources first. Then upgrade using Helm or kubectl apply with the new manifests. cert-manager handles CRD upgrades during installation. The main risk is API version removal: if you are skipping multiple minor versions, check for removed API versions. Always read the upgrade notes. Certificates continue to be served during the upgrade.

Q: cert-manager vs Caddy for automatic HTTPS?

Different tools for different contexts. Caddy handles automatic HTTPS for a single web server (simple, zero-config TLS). cert-manager handles certificate management across an entire Kubernetes cluster for all services, ingresses, and gateways. If you run K8s, you need cert-manager. If you run a single server, Caddy is simpler. They can also work together: cert-manager provisions certs that Caddy uses.

Track cert-manager releases, Kubernetes version compatibility, ACME provider support, API version evolution, and upgrade guidance for certificate management in Kubernetes.

Official Site Documentation

—

Total Versions

—

Supported

—

Latest

Version Timeline

All tracked releases with lifecycle status and EOL dates.

Loading version data…

Lifecycle Timeline

Visual overview of active support and maintenance windows.

1.12

1.13

1.14

1.15

1.16

1.17

2023 2024 2025 2026 2027 2028

Active

Maint

Active

Maint

Active

Maint

Active

Maint

Active

Maint

Active

Maint

Active / LTS

Maintenance

Today

Upgrade Paths

Migration guidance between major versions — breaking changes, effort estimates, and tips.

1.12/1.13 1.16+ Medium Difficulty

Est. 30-60 minutes per minor version

Breaking Changes

Deprecated API fields removed in newer versions
Webhook validation stricter
Some Issuer configuration fields renamed
Gateway API integration changes
Updated default ACME challenge solver behavior
Helm chart values restructured in 1.15+

Migration Notes

Upgrade one minor version at a time. Check for deprecated API fields with cmctl check api. Review Helm chart value changes between each version. The biggest risk is custom webhook configurations and Issuer spec changes. Certificates remain valid and served during upgrades.

1.15 1.16 Low Difficulty

Est. < 30 minutes

Breaking Changes

Updated Gateway API integration
New trust-manager improvements
Enhanced Venafi issuer support

Migration Notes

Straightforward upgrade. Update Helm chart, apply, verify Certificates are in Ready state. No breaking changes for standard Let's Encrypt or self-signed CA setups.

Version Risk Assessment

Evaluate risk factors before choosing a version for production.

Version	EOL Risk	CVE Risk	Ecosystem	Cloud Support	Overall	Recommended Action
cert-manager 1.12 and older	Critical	High	Unsupported	None	Critical	No patches — certificates may fail silently on edge cases
cert-manager 1.13	Critical	Medium	Unsupported	Degrading	Critical	Past EOL — upgrade to 1.16+
cert-manager 1.14	High	Medium	Maintenance	Full	High	Security-only — plan upgrade
cert-manager 1.15	Medium	Low	Supported	Full	Medium	Supported until Mar 2025 — upgrade soon
cert-manager 1.16	Low	Low	Active	Full	Low	Current — recommended
cert-manager 1.17	None	Low	Active	Full	Low	Latest — recommended for new installs

cert-manager supports the latest 3 minor versions. As a security-critical component (TLS certificate management), running unsupported versions is high-risk. Assessed March 2026.

cert-manager Version Feature Comparison

Side-by-side feature differences across major versions.

Feature	1.12	1.13	1.14	1.15	1.16
Gateway API integration	Beta	Beta	Stable	Stable	Enhanced
trust-manager	Alpha	Beta	Beta	Stable	Stable
ACME external account	Stable	Stable	Stable	Stable	Stable
Venafi enhanced issuer	Basic	Improved	Improved	Enhanced	Enhanced
csi-driver	Beta	Stable	Stable	Stable	Stable
istio-csr integration	Stable	Stable	Stable	Enhanced	Enhanced
Approver policy	Stable	Stable	Stable	Stable	Enhanced
K8s version support	1.24-1.28	1.25-1.29	1.26-1.31	1.27-1.31	1.28-1.32
Webhook validation	v1	v1	v1 strict	v1 strict	v1 strict

Embed Badges

Add live cert-manager status badges to your README, docs, or dashboard.

Health Status

Overall support health

![cert-manager Health Status](https://img.releaserun.com/badge/health/cert-manager.svg)

EOL Countdown

Next end-of-life date

![cert-manager EOL Countdown](https://img.releaserun.com/badge/eol/cert-manager.svg)

Latest Version

Current stable release

![cert-manager Latest Version](https://img.releaserun.com/badge/v/cert-manager.svg)

CVE Status

Known vulnerabilities

![cert-manager CVE Status](https://img.releaserun.com/badge/cve/cert-manager.svg)

Frequently Asked Questions

Common questions about cert-manager releases and lifecycle.

What does cert-manager do?

cert-manager automates TLS certificate lifecycle in Kubernetes. It obtains certificates from issuers (Let's Encrypt, Vault, Venafi, self-signed CA, etc.), stores them as Kubernetes Secrets, and renews them before expiry. It watches Certificate CRDs and Ingress/Gateway annotations to automatically provision and rotate certificates. It is the de facto standard for Kubernetes TLS management.

Which Kubernetes versions does cert-manager support?

cert-manager supports the latest 4 Kubernetes minor versions. cert-manager 1.14+ supports K8s 1.26-1.31. cert-manager 1.15+ supports K8s 1.27-1.32. The project tests against these versions in CI. Older K8s versions may work but are not guaranteed. The main requirement is CRD v1 support (K8s 1.16+).

How do I migrate from cert-manager API v1alpha2/v1beta1 to v1?

cert-manager v1.7+ removed v1alpha2 and v1beta1 API versions. All Certificate, Issuer, ClusterIssuer resources must use cert-manager.io/v1. If you are on an older version, update your manifests to use v1 API before upgrading cert-manager. The v1 API has been stable since cert-manager 1.0. Use cmctl convert to auto-migrate manifests.

What ACME providers does cert-manager support?

cert-manager supports any ACME-compliant provider: Let's Encrypt (production + staging), ZeroSSL, Buypass, Google Trust Services, and any other ACME server. For DNS-01 challenges, it supports 20+ DNS providers (Route53, CloudFlare, Google Cloud DNS, Azure DNS, DigitalOcean, etc.) via built-in solvers or webhook solvers.

How do I upgrade cert-manager safely?

Back up your Certificate, Issuer, and ClusterIssuer resources first. Then upgrade using Helm or kubectl apply with the new manifests. cert-manager handles CRD upgrades during installation. The main risk is API version removal: if you are skipping multiple minor versions, check for removed API versions. Always read the upgrade notes. Certificates continue to be served during the upgrade.

cert-manager vs Caddy for automatic HTTPS?

Different tools for different contexts. Caddy handles automatic HTTPS for a single web server (simple, zero-config TLS). cert-manager handles certificate management across an entire Kubernetes cluster for all services, ingresses, and gateways. If you run K8s, you need cert-manager. If you run a single server, Caddy is simpler. They can also work together: cert-manager provisions certs that Caddy uses.

Related Tools

Dep EOL Scanner

Check your dependencies for end-of-life packages.

Stack Health Scorecard

Get an overall health grade for your tech stack.

Release Index

Browse all tracked platforms and their release timelines.