> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.nvidia.com/openshell/llms.txt.
> For full documentation content, see https://docs.nvidia.com/openshell/llms-full.txt.

# Managing Certificates

> Configure the OpenShell Helm chart to use cert-manager for mTLS certificate issuance and automatic renewal.

The OpenShell gateway requires mTLS certificates for sandbox supervisors and clients. The Helm chart supports two ways to provision and manage them:

| Mode                            | When to use                                                                                                                               |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| Built-in `pkiInitJob` (default) | Simplest path. A pre-install Kubernetes Job generates a self-signed CA and certificates once at install time. No additional dependencies. |
| cert-manager                    | Production deployments that need automatic certificate rotation managed by a running controller.                                          |

The rest of this page covers switching to cert-manager. The built-in mode requires no configuration.

<Note>
  cert-manager and `pkiInitJob` are mutually exclusive. The chart will fail if both are enabled at the same time.
</Note>

## Install cert-manager

Add the Jetstack Helm repository and install cert-manager with CRD support enabled:

```shell
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set crds.enabled=true \
  --wait
```

Verify the cert-manager pods are running:

```shell
kubectl -n cert-manager get pods
```

## Install OpenShell with cert-manager PKI

Pass the cert-manager values override when installing or upgrading the chart:

```shell
helm upgrade --install openshell \
  oci://ghcr.io/nvidia/openshell/helm-chart \
  --version <version> \
  --namespace openshell \
  --set certManager.enabled=true \
  --set pkiInitJob.enabled=false
```

The chart creates a self-signed CA, issues server and client certificates from it, and cert-manager handles renewal before expiry.

## Next Steps

Return to [Setup](/kubernetes/setup) to complete the installation.