Intermediate to Advanced|18 hours|36 lessons

SSL/TLS & Certificate Management for Kubernetes Engineers

From encryption fundamentals to production cert management on Kubernetes. Master TLS handshakes, X.509 certificates, cert-manager, mTLS with service mesh, and the 3AM cert expiry runbook.

$79

One-time payment. Lifetime access.

Text-based, no videos
10 modules, 36 lessons
Lifetime access

What you'll learn

Symmetric and asymmetric encryption, key exchange, digital signatures from first principles
TLS 1.2 and 1.3 handshake internals — every packet, every decision
X.509 certificate anatomy, CA hierarchy, and chain of trust verification
Kubernetes internal PKI — every certificate the API server, kubelet, and etcd use
cert-manager with ACME, Vault, and private CAs for automated certificate lifecycle
mTLS with Istio, Linkerd, and Cilium for zero-trust service mesh
Debug certificate failures with OpenSSL and respond to cert expiry incidents

Curriculum

10 modules · 36 lessons
01

Cryptography Foundations

The building blocks of TLS — symmetric encryption, asymmetric encryption, key exchange, hashing, and digital signatures.

4 lessons
Symmetric Encryption — AES and the Shared Secret30 minFREEAsymmetric Encryption — RSA, ECDSA, and Key Pairs35 minFREEKey Exchange — Diffie-Hellman and ECDHE30 minFREEHashing, HMACs & Digital Signatures30 minFREE
02

The TLS Protocol

TLS 1.2 and 1.3 handshake internals — every message, every decision, and why TLS 1.3 is faster and more secure.

4 lessons
The TLS 1.2 Handshake — Step by Step40 minTLS 1.3 — Faster, Simpler, More Secure35 minCipher Suites Decoded30 minTLS in Practice — SNI, ALPN, Session Resumption30 min
03

X.509 Certificates & PKI

Certificate anatomy, CSRs, SANs vs wildcards, CA hierarchy, certificate chains, and the trust model that underpins HTTPS.

4 lessons
Certificate Anatomy — What is Inside an X.509 Certificate35 minCSRs, SANs & Wildcards30 minCertificate Chains & the Trust Model35 minCRL, OCSP & Certificate Transparency30 min
04

Certificate Authorities

Public CAs, private CAs, and the trust decisions that determine whether your certificates are accepted or rejected.

3 lessons
Public CAs — Let's Encrypt, DigiCert, and the Trust Model30 minPrivate CAs — step-ca, Vault PKI, and CFSSL35 minCA Operations, Cross-Signing & Compromise Response30 min
05

Kubernetes Internal PKI

Every certificate inside a Kubernetes cluster — API server, kubelet, etcd, front-proxy, and service account signing keys.

4 lessons
Kubernetes Certificate Architecture40 minkubeadm Certificate Generation & Renewal35 minManual Certificate Creation with OpenSSL40 minKubelet TLS Bootstrap & Certificate Rotation30 min
06

cert-manager on Kubernetes

Automated certificate lifecycle on Kubernetes — ACME, Vault, private CAs, and the Certificate CRD that handles everything.

4 lessons
cert-manager Architecture & Installation30 minACME & Let's Encrypt Integration40 minVault & Private CA Issuers35 minCertificate Lifecycle — Renewal, Revocation & Monitoring30 min
07

Ingress TLS & Termination

TLS termination strategies — at the load balancer, at the ingress controller, or at the pod — with NGINX, Traefik, Envoy, and Gateway API.

3 lessons
TLS Termination — LB vs Ingress vs Pod35 minIngress Controller TLS Configuration35 minGateway API & TLS30 min
08

mTLS & Service Mesh

Mutual TLS for zero-trust service-to-service communication — with Istio, Linkerd, Cilium, and SPIFFE/SPIRE.

4 lessons
Mutual TLS Explained30 minmTLS with Istio40 minmTLS with Linkerd & Cilium35 minSPIFFE/SPIRE — Workload Identity for K8s35 min
09

Secrets, Storage & Rotation

Store certificates securely, rotate them without downtime, and monitor expiry across your entire fleet.

3 lessons
Certificate Storage — K8s Secrets, Vault & CSI Driver30 minCertificate Rotation Without Downtime35 minCertificate Monitoring & Expiry Alerting30 min
10

Debugging & Incident Response

The OpenSSL debugging toolkit, incident response for cert failures, and real outage postmortems that teach more than any tutorial.

3 lessons
The OpenSSL Debugging Toolkit40 minCommon TLS Failures & Fixes40 minThe 3AM Cert Expiry Runbook35 min

About the Author

Sharon Sahadevan

Sharon Sahadevan

AI Infrastructure Engineer

Building production GPU clusters on Kubernetes — H100s, large-scale model serving, and end-to-end ML infrastructure across Azure and AWS.

10+ years designing cloud-native platforms with deep expertise in Kubernetes orchestration, GitOps (Argo CD), Terraform, and MLOps pipelines for LLM deployment.

Author of KubeNatives, a weekly newsletter read by 3,000+ DevOps and ML engineers for production insights on K8s internals, GPU scheduling, and model-serving patterns.

Ready to master this topic?

Start with the free preview lesson and see for yourself.