{"blog_url":"https://www.shigemk2.com/","blog_title":"by shigemk2","height":"190","image_url":null,"published":"2026-03-20 00:45:03","provider_name":"Hatena Blog","author_url":"https://blog.hatena.ne.jp/shigemk2/","type":"rich","url":"https://www.shigemk2.com/entry/2026/03/20/004503","title":"cert-manager 1.18 Certificate.Spec.PrivateKey.RotationPolicy","version":"1.0","categories":["k8s"],"width":"100%","provider_url":"https://hatena.blog","html":"<iframe src=\"https://hatenablog-parts.com/embed?url=https%3A%2F%2Fwww.shigemk2.com%2Fentry%2F2026%2F03%2F20%2F004503\" title=\"cert-manager 1.18 Certificate.Spec.PrivateKey.RotationPolicy - by shigemk2\" class=\"embed-card embed-blogcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 190px; max-width: 500px; margin: 10px 0px;\"></iframe>","description":"Why? Because the old default was unintuitive and insecure. For example, if a private key is exposed, users may (reasonably) assume that re-issuing a certificate (e.g. using cmctl renew) will generate a new private key, but it won't unless the user has explicitly set rotationPolicy: Always on the Cer\u2026","author_name":"shigemk2"}