This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-certificate-automation.md

1.1 KiB

Pattern: Certificate Automation

Status: seed Readiness target: RL3 production Primary owners: Railiance platform, NetKingdom Genesis family: Secrets and cryptography

Problem

Manual certificate issuance and renewal create outages, weak defaults, and stale trust anchors.

Context

Use this pattern for ingress TLS, internal service TLS, mTLS, workload certificates, admin endpoints, and platform APIs.

Forces

  • Certificates need automated issuance and renewal.
  • Trust roots must be owned and rotated.
  • Internal and external certificate policies differ.
  • Expiry must be observable before outage.

Solution

Automate certificate issuance, renewal, monitoring, and rotation through approved issuers and scoped identities. Treat certificate authority material as platform-root secret material.

Verification

  • Certificates renew before expiry.
  • Issuers and trust roots are documented and protected.
  • Expiry monitoring alerts before service impact.
  • mTLS or internal TLS policies are tested where required.
  • Workload Identity.
  • Secret Zero Avoidance.
  • Secure Cluster Baseline.
  • Network Default Deny.