generated from coulomb/repo-seed
1.1 KiB
1.1 KiB
Pattern: Certificate Automation
Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom Genesis family: Secrets and cryptography
Problem
Manual certificate issuance and renewal create outages, weak defaults, and stale trust anchors.
Context
Use this pattern for ingress TLS, internal service TLS, mTLS, workload certificates, admin endpoints, and platform APIs.
Forces
- Certificates need automated issuance and renewal.
- Trust roots must be owned and rotated.
- Internal and external certificate policies differ.
- Expiry must be observable before outage.
Solution
Automate certificate issuance, renewal, monitoring, and rotation through approved issuers and scoped identities. Treat certificate authority material as platform-root secret material.
Verification
- Certificates renew before expiry.
- Issuers and trust roots are documented and protected.
- Expiry monitoring alerts before service impact.
- mTLS or internal TLS policies are tested where required.
Related Patterns
- Workload Identity.
- Secret Zero Avoidance.
- Secure Cluster Baseline.
- Network Default Deny.