Skip to content

Enterprise cert-manager releases

Learn about current and past releases of Enterprise cert-manager.

Latest Enterprise cert-manager release

The latest stable release of Enterprise cert-manager is v1.14.3.

Downloads

  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.3

Release 1.14.3

Enterprise cert-manager 1.14.3 was released on February 23, 2024.

Important

When upgrading to cert-manager release 1.14, skip v1.14.0, v1.14.1, and v1.14.2, and install this patch release instead.

Key features

  • This release fixes an issue with JSON-logging, where only a subset of the log messages were outputted as JSON.
  • This release also corrects an issue where LiteralSubjects with a #= value can result in memory issues due to a faulty BER parser.
Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.3

Release 1.14.2

Enterprise cert-manager 1.14.2 was released on February 8, 2024.

Key features

  • The release fixes an issue where cert-manager CA and SelfSigned issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field.
  • This release also corrects an issue with the Helm trick used to differentiate between 0 and an empty value.
Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.2
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.2
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.2
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.2
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.2
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.2
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.2
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.2
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.2
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.2
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.2
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.2

Release 1.14.1

Enterprise cert-manager 1.14.1 was released on February 2, 2024.

Key features

Enterprise cert-manager 1.14.1 brings a variety of features, security improvements and bug fixes, including support for creating X.509 certificates with Other Name fields, and support for creating CA certificates with Name Constraints and Authority Information Accessors extensions.

Important

The startupapicheck job uses a new OCI image called cert-manager-startupapicheck, instead of the cert-manager-ctl image. If you run in an environment in which images can't be pulled, be sure to include the new image.

  • New X.509 features

    • The cert-manager certificate resource now allows you to configure a subset of "Other Name" SANs, which are described in the Subject Alternative Name section of RFC 5280 (on page 37).

    • We specifically support any otherName type with a UTF-8 value, such as the User Principal Name or sAMAccountName. These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. For example you can create certificates with this block in the spec:

      otherNames:
          - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID
          utf8Value: upn@domain.local
      

      The feature is still in alpha stage and requires you to enable the OtherName feature flag in the controller and webhook components.

  • New CA certificate features

    • You can now specify the X.509 v3 Authority Information Accessors extension, with URLs for certificates issued by the CA issuer.

    • Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC 5280 section 4.2.1.10.

  • Security updates

    • An ongoing security audit of the cert-manager code revealed some weaknesses which were addressed in this release, such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. This will help mitigate denial-of-service attacks against those services.

    • All the cert-manager containers are now configured with read-only root file system by default, to prevent unexpected changes to the file system of the OCI image.

    • It is now possible to configure the metrics server to use HTTPS rather than HTTP, so that clients can verify the identity of the metrics server.

  • Miscellaneous

    • The liveness probe of the cert-manager controller Pod is now enabled by default.

    • There is a new option .spec.keystores.pkcs12.algorithms to specify encryption and MAC algorithms for PKCS.

    • The KeyUsage and BasicConstraints extensions are now encoded as critical in the CertificateRequest's CSR blob.

    • Enterprise cert-manager 1.14.1 fixes issues in the Helm chart, as well as minor issues in cmctl.

Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.1
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.1
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.1
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.1
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.1
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.1
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.1
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.1
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.1
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.1

Release 1.13.3

Enterprise cert-manager 1.13.3 was released on December 11, 2023.

Key features

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

  • GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

  • CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.13.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.13.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.13.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.13.3
  • Docker Image: private-registry.venafi.cloud/cert-manager/cert-manager-ctl:v1.13.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.13.3
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.13.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.13.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.13.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.13.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.13.3
  • Docker Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.13.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.13.3
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.13.3

Read before upgrading!

  1. IMPORTANT NOTE: If upgrading from a version earlier than v1.12, upgrade to the latest v1.12 release before upgrading to v1.13.x. Otherwise, some certificates may be unexpectedly re-issued.
  2. BREAKING: If you deploy cert-manager using helm and have .featureGates value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use the webhook.featureGates field instead to define features to be enabled on webhook.
  3. POTENTIALLY BREAKING: If you pass cert-manager controller's features to webhook's --feature-gates flag, this will now break (unless the webhook actually has a feature by that name).
  4. POTENTIALLY BREAKING: Webhook validation of CertificateRequest resources is stricter now. All KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there.