I've been pretty happy with kube-lego which manages thousands of certificates for me. I'm now migrating to cert-manager, it's successor, but in my test deployment, I noticed that when cert-manager saw an existing certificate with 33 days left til expiration, it replaced it with a new one even though it didn't really need to.

I'm worried that when I flip the switch from kube-lego to cert-manager, cert-manager will flood Let's Encrypt with thousands of certificate requests all at once. I'd prefer if cert-manager used the existing certificates, previously managed by kube-lego, until each certificate gets closer to its expiration date because it will space out the certificate requests more evenly.

Is it possible to tell cert-manager to use the existing certificates and not request new certificates?