Intermediate to Advanced|18 hours|36 lessons

SSL/TLS & Certificate Management for Kubernetes Engineers

From encryption fundamentals to production cert management on Kubernetes. Master TLS handshakes, X.509 certificates, cert-manager, mTLS with service mesh, and the 3AM cert expiry runbook.

Text-based, no videos
10 modules, 36 lessons
Lifetime access

What you'll learn

Symmetric and asymmetric encryption, key exchange, digital signatures from first principles
TLS 1.2 and 1.3 handshake internals, every packet, every decision
X.509 certificate anatomy, CA hierarchy, and chain of trust verification
Kubernetes internal PKI: every certificate the API server, kubelet, and etcd use
cert-manager with ACME, Vault, and private CAs for automated certificate lifecycle
mTLS with Istio, Linkerd, and Cilium for zero-trust service mesh
Debug certificate failures with OpenSSL and respond to cert expiry incidents

Curriculum

10 modules · 36 lessons
01

Cryptography Foundations

The building blocks of TLS: symmetric encryption, asymmetric encryption, key exchange, hashing, and digital signatures.

4 lessons
Symmetric Encryption, AES and the Shared Secret30 minFREEAsymmetric Encryption: RSA, ECDSA, and Key Pairs35 minFREEKey Exchange, Diffie-Hellman and ECDHE30 minFREEHashing, HMACs & Digital Signatures30 minFREE
02

The TLS Protocol

TLS 1.2 and 1.3 handshake internals: every message, every decision, and why TLS 1.3 is faster and more secure.

4 lessons
The TLS 1.2 Handshake, Step by Step40 minTLS 1.3: Faster, Simpler, More Secure35 minCipher Suites Decoded30 minTLS in Practice: SNI, ALPN, Session Resumption30 min
03

X.509 Certificates & PKI

Certificate anatomy, CSRs, SANs vs wildcards, CA hierarchy, certificate chains, and the trust model that underpins HTTPS.

4 lessons
Certificate Anatomy, What is Inside an X.509 Certificate35 minCSRs, SANs & Wildcards30 minCertificate Chains & the Trust Model35 minCRL, OCSP & Certificate Transparency30 min
04

Certificate Authorities

Public CAs, private CAs, and the trust decisions that determine whether your certificates are accepted or rejected.

3 lessons
Public CAs: Let's Encrypt, DigiCert, and the Trust Model30 minPrivate CAs: step-ca, Vault PKI, and CFSSL35 minCA Operations, Cross-Signing & Compromise Response30 min
05

Kubernetes Internal PKI

Every certificate inside a Kubernetes cluster: API server, kubelet, etcd, front-proxy, and service account signing keys.

4 lessons
Kubernetes Certificate Architecture40 minkubeadm Certificate Generation & Renewal35 minManual Certificate Creation with OpenSSL40 minKubelet TLS Bootstrap & Certificate Rotation30 min
06

cert-manager on Kubernetes

Automated certificate lifecycle on Kubernetes: ACME, Vault, private CAs, and the Certificate CRD that handles everything.

4 lessons
cert-manager Architecture & Installation30 minACME & Let's Encrypt Integration40 minVault & Private CA Issuers35 minCertificate Lifecycle, Renewal, Revocation & Monitoring30 min
07

Ingress TLS & Termination

TLS termination strategies: at the load balancer, at the ingress controller, or at the pod: with NGINX, Traefik, Envoy, and Gateway API.

3 lessons
TLS Termination, LB vs Ingress vs Pod35 minIngress Controller TLS Configuration35 minGateway API & TLS30 min
08

mTLS & Service Mesh

Mutual TLS for zero-trust service-to-service communication: with Istio, Linkerd, Cilium, and SPIFFE/SPIRE.

4 lessons
Mutual TLS Explained30 minmTLS with Istio40 minmTLS with Linkerd & Cilium35 minSPIFFE/SPIRE, Workload Identity for K8s35 min
09

Secrets, Storage & Rotation

Store certificates securely, rotate them without downtime, and monitor expiry across your entire fleet.

3 lessons
Certificate Storage, K8s Secrets, Vault & CSI Driver30 minCertificate Rotation Without Downtime35 minCertificate Monitoring & Expiry Alerting30 min
10

Debugging & Incident Response

The OpenSSL debugging toolkit, incident response for cert failures, and real outage postmortems that teach more than any tutorial.

3 lessons
The OpenSSL Debugging Toolkit40 minCommon TLS Failures & Fixes40 minThe 3AM Cert Expiry Runbook35 min

About the Author

Sharon Sahadevan

Sharon Sahadevan

AI Infrastructure Engineer

Building production GPU clusters on Kubernetes. H100s, large-scale model serving, and end-to-end ML infrastructure across Azure and AWS.

10+ years designing cloud-native platforms with deep expertise in Kubernetes orchestration, GitOps (Argo CD), Terraform, and MLOps pipelines for LLM deployment.

Author of KubeNatives, a weekly newsletter read by 3,000+ DevOps and ML engineers for production insights on K8s internals, GPU scheduling, and model-serving patterns.

Ready to master this topic?

Start with the free preview lesson and see for yourself.