All certificates for OpenShift Lifecycle Manager (OLM) components (
marketplace-operator) are managed by the system.
Operators installed via OLM can have certificates generated for them if they are providing API services.
packageserver is one example.
Certificates in the
openshift-operator-lifecycle-manager namespace are managed by OLM with the exception of certificates used by Operators that require a validating or mutating webhook.
Operators that install validating or mutating webhooks must currently manage those certificates themselves. They do not require the user to manage the certificates.
OLM will not update the certificates of Operators that it manages in proxy environments. These certificates must be managed by the user via the subscription config.