Monitoring cert-manager certificate renewal

How to monitor when your certificates are nearing their expiry, confirm that cert-manager is renewing them, and verify that dependent certificates are also renewed and related pods are restarted.

CA certificate renewal

If cert-manager renews a CA certificate, you must renew all the certificates that the CA signs. See API Connect TLS certificates reference.

Monitoring when your certificates are due to expire

Check when your certificates are due to expire with the following command:
kubectl -n <namespace> get certificate -o custom-columns=NAME:metadata.name,DURATION:spec.duration,RenewBEFORE:spec.renewBefore,NotAFTER:status.notAfter
Example output:
NAME                                     DURATION     RenewBEFORE   NotAFTER
analytics-ingestion-client               17520h0m0s   720h0m0s      2025-08-28T08:25:58Z
api-endpoint                             17520h0m0s   720h0m0s      2025-08-28T08:28:40Z
apim-endpoint                            17520h0m0s   720h0m0s      2025-08-28T08:28:21Z
The example output shows that your analytics-ingestion-client is due to expire at 2025-08-28T08:25:58Z. The RenewBEFORE property shows that cert-manager should renew this certificate 720 hours before it expires.

Monitoring the cert-manager manager logs

Monitor the cert-manager logs to confirm when certificates are renewed. Run the following command to display the cert-manager log:
kubectl logs <cert-manager pod name> -n <cert-manager namespace>
Example output:
I0108 14:23:18.001074       1 controller.go:129] cert-manager/controller/certificates "level"=0 "msg"="syncing item" "key"="default/test-cert" 
I0108 14:23:18.009940       1 issue.go:109] cert-manager/controller/certificates/certificates/issue "level"=0 "msg"="certificate issued" "related_resource_kind"="Secret" "related_resource_name"="test-cert" "related_resource_namespace"="default" 
I0108 14:23:18.018664       1 sync.go:331] cert-manager/controller/certificates/certificates "level"=0 "msg"="certificate scheduled for renewal" "duration_until_renewal"="-5.018566857s" "related_resource_kind"="Secret" "related_resource_name"="test-cert" "related_resource_namespace"="default" 
I0108 14:23:18.019070       1 controller.go:135] cert-manager/controller/certificates "level"=0 "msg"="finished processing work item" "key"="default/test-cert" 
The 4 statements (shown in the example) indicate when a certificate is about to be renewed, and when the renewal is complete a few seconds later.
Tip: Set up a logs-based alerting mechanism that informs you when cert-manager renews any certificate.

Pods that require restart after certificate renewal

Some API Connect pods must be restarted when certificates that are used by the pod are renewed. The certificates that require pods to be restarted after renewal are:

  • analytics-ingestion-client or a7s-ing-client. Restart apim, taskmanager, and analytics-proxy pods on the management subsystem.
  • gateway-client-client or gw-dr-client. Restart the apim and taskmanager pods on the management subsystem.
  • analytics-ai-endpoint or a7s-ai-endpoint. Restart the mtls-gw pod on the analytics subsystem.