Microsoft released the public preview of cert-manager support for Azure Arc-enabled Kubernetes on April 15, 2026, delivering a fully supported extension that automates TLS certificate lifecycle management across hybrid and multi-cloud clusters. The new Arc extension bundles Microsoft-supported versions of cert-manager and trust-manager, giving organizations a consistent way to provision, renew, and distribute certificates regardless of where Kubernetes runs—on-premises, at the edge, or in other clouds.

This move addresses a long-standing operational headache for platform teams managing sprawling Kubernetes estates. Without a unified certificate authority, each cluster becomes a silo of manual cert renewals, expired TLS warnings, and configuration drift. The cert-manager Arc extension plugs directly into Azure Arc’s control plane, enabling centralized policy enforcement and visibility for certificates across the entire hybrid fleet.

How the cert-manager Extension Works

The cert-manager extension deploys the open-source cert-manager (v1.15.0) and trust-manager (v0.8.0) components as an Azure Arc extension. Installation is a one-click operation from the Azure portal, or can be automated through Azure CLI, PowerShell, or ARM templates. Once installed, the extension spins up the cert-manager controller, webhook, and cainjector pods inside the target cluster, all preconfigured with Microsoft-recommended security defaults.

Administrators then define ClusterIssuer or Issuer resources just as they would with standard cert-manager, referencing an ACME provider like Let’s Encrypt, an internal private CA, or Azure Key Vault. The extension integrates natively with Azure Key Vault, allowing clusters to obtain publicly trusted or privately signed certificates from a centrally managed vault. Trust-manager handles the distribution of trust bundles (CA certificates) into namespaces, ensuring applications always have the correct root certificates to validate TLS connections.

“With this extension, we’re removing the friction of managing certificate infrastructure separately for each Arc-enabled cluster,” said Melissa Torres, principal program manager for Azure Arc. “Customers get a fully supported, Microsoft-validated version of cert-manager that is maintained and updated as part of the Azure Arc release cadence.”

Key Benefits for Hybrid Operations

Unified certificate lifecycle management – Create, renew, and revoke TLS certificates across all Arc-enabled clusters from the Azure portal or via declarative configuration. Alerts and dashboards surface imminent expirations before they cause outages.

Integrated trust distribution – The built-in trust-manager automatically syncs root and intermediate CA certificates into any namespace that needs them, eliminating manual ConfigMap updates and application restarts.

Simplified compliance and auditing – Because the extension is part of Azure Arc, all certificate operations flow into Azure Monitor and Azure Policy. Auditors can verify that every cluster uses approved issuers and that certificates adhere to organizational validity periods and key strengths.

Multi-environment consistency – Whether running AKS on Azure, a vSphere VM, or an edge device, the same cert-manager configuration works everywhere. This reduces training and allows global platform teams to define certificate standards once.

Reduced operational overhead – The extension auto-updates with each Arc release cycle, keeping cert-manager and trust-manager patched without manual intervention. Microsoft provides support for the entire stack, so customers can open a unified support ticket for any certificate-related issue.

Getting Started with the Preview

Enabling the cert-manager extension requires a Kubernetes cluster onboarded to Azure Arc (minimum Kubernetes version 1.27) and the Azure CLI with the k8s-extension extension. The following commands install the preview extension:

az k8s-extension create \\
  --cluster-type connectedClusters \\
  --cluster-name <arc-cluster-name> \\
  --resource-group <resource-group> \\
  --name cert-manager \\
  --extension-type Microsoft.cert-manager \\
  --version 1.0.0-preview \\
  --configuration-settings useAzureKeyVault=true

After installation, users can create a ClusterIssuer pointing to Azure Key Vault or any other supported issuer type. Detailed step-by-step guides are available on Microsoft Learn.

Preview Limitations and Known Issues

As a public preview, the extension currently has several constraints:

  • Single issuer per cluster – Only one ClusterIssuer can be designated as the default via the extension configuration. Future releases will remove this limit.
  • No custom CA support in GUI – While custom CAs work through YAML manifests, the portal does not yet provide a wizard for uploading private CA certificates. This is expected in the next preview update.
  • DNS-01 challenge restrictions – The streamlined integration with Azure Key Vault currently only supports HTTP-01 challenges for public certificates. DNS-01 with Azure DNS is planned for the general availability (GA) milestone.
  • Windows container support – The extension deploys on Linux nodes only. Windows node pools cannot run the cert-manager pods natively; certificates can still be mounted into Windows containers if the issuer resolver runs on a Linux node.

Microsoft advises against using the preview in production for mission-critical workloads, though many teams are already testing it in development and staging environments.

Community and Early Adopter Feedback

Early adopters on the Azure Arc forums and GitHub have praised the extension for slashing the time needed to bootstrap new clusters. “We onboarded 12 edge sites across three continents, and having cert-manager as part of Arc saved us weeks of scripting and validation,” commented a DevOps architect from a global logistics firm. Others noted that the tight alignment with Azure Policy helps enforce certificate compliance automatically—something that previously required custom Golang controllers or manual audits.

Some users expressed a desire for deeper integration with Azure Active Directory workload identities for pod-level authentication to Key Vault, a feature the engineering team confirmed is on the roadmap for GA. Additionally, the community has contributed example Issuer configurations for popular private CAs like HashiCorp Vault and cert-manager’s own step-ca, accelerating adoption.

The Bigger Picture: Azure Arc’s Hybrid Strategy

Azure Arc has evolved from a simple inventory tool into a robust hybrid management fabric. With the cert-manager extension, Microsoft continues to bring cloud-born practices to any infrastructure. TLS certificate management is often the canary in the coal mine for platform maturity—if you can’t automate certs, you likely can’t automate much else. By standardizing on cert-manager through Arc, enterprises can treat certificates as code, reducing risk and enabling more agile application deployment.

The extension also complements existing Arc integration with GitOps (Flux v2), Open Service Mesh, and Azure Policy. Together, these capabilities form a cohesive framework for running secure, compliant Kubernetes at scale, irrespective of location.

Roadmap to General Availability

According to Microsoft’s public Azure Arc roadmap, the cert-manager extension is targeting general availability by Q3 2026. The GA version will include:

  • Multi-issuer support with namespace-scoped issuer priority.
  • Full DNS-01 challenge integration with Azure DNS and third-party providers.
  • Certificate health dashboards in Azure Workbooks.
  • Integration with Azure Security Center for compliance scoring.
  • Windows node support for the trust-manager component.

No pricing specific to the extension has been announced; customers pay only for the underlying Azure Arc management infrastructure and any Azure Key Vault operations.

How This Compares to Other Solutions

Vendors like Venafi, HashiCorp, and SSL.com offer commercial certificate management platforms that can integrate with Kubernetes, but they often require additional agents, per-cluster licensing, and complex network configurations. The Arc cert-manager extension benefits from deep Azure integration without extra licensing costs. For organizations already committed to Azure Arc, this preview eliminates the need to evaluate third-party alternatives for basic TLS automation.

Open-source cert-manager remains a compelling option for teams that need maximum flexibility, but those teams must shoulder the support burden themselves and build their own multi-cluster management and trust distribution frameworks. The Arc extension meets the needs of enterprises that value Microsoft’s support umbrella and prefer a managed solution.

Security Considerations

Certificates are the bedrock of zero-trust architectures. The extension’s default configuration disables insecure flags and forces TLS 1.2 or higher. The trust-manager component ensures that certificate bundles are read-only inside pods, preventing accidental mutation. All communication between the extension and Azure Arc services flows over the Arc agent’s encrypted channel, and no certificate private keys leave the cluster unless explicitly exported to Azure Key Vault.

Microsoft’s Security Response Center has reviewed the preview build, and known vulnerabilities in the open-source dependencies have been remediated. As new CVEs emerge, the extension will receive updates through the standard Arc release process.

Final Thoughts: A Step Toward Mature Hybrid Operations

The public preview of cert-manager for Azure Arc-enabled Kubernetes is more than a new extension—it’s a signal that Microsoft is serious about making hybrid operations as seamless as cloud-native ones. By removing the certificate management burden, platform teams can focus on delivering business value rather than firefighting expirations.

Organizations running distributed Kubernetes should start testing this extension in non-production environments to validate their issuer configurations and build automation around certificate policies. With GA on the horizon, now is the time to align hybrid TLS strategy with the tools that will be fully supported in the coming months.