# Pattern: Certificate Automation Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom Genesis family: Secrets and cryptography ## Problem Manual certificate issuance and renewal create outages, weak defaults, and stale trust anchors. ## Context Use this pattern for ingress TLS, internal service TLS, mTLS, workload certificates, admin endpoints, and platform APIs. ## Forces - Certificates need automated issuance and renewal. - Trust roots must be owned and rotated. - Internal and external certificate policies differ. - Expiry must be observable before outage. ## Solution Automate certificate issuance, renewal, monitoring, and rotation through approved issuers and scoped identities. Treat certificate authority material as platform-root secret material. ## Verification - Certificates renew before expiry. - Issuers and trust roots are documented and protected. - Expiry monitoring alerts before service impact. - mTLS or internal TLS policies are tested where required. ## Related Patterns - Workload Identity. - Secret Zero Avoidance. - Secure Cluster Baseline. - Network Default Deny.