generated from coulomb/repo-seed
44 lines
1.1 KiB
Markdown
44 lines
1.1 KiB
Markdown
# Pattern: Certificate Automation
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: Railiance platform, NetKingdom
|
|
Genesis family: Secrets and cryptography
|
|
|
|
## Problem
|
|
|
|
Manual certificate issuance and renewal create outages, weak defaults,
|
|
and stale trust anchors.
|
|
|
|
## Context
|
|
|
|
Use this pattern for ingress TLS, internal service TLS, mTLS, workload
|
|
certificates, admin endpoints, and platform APIs.
|
|
|
|
## Forces
|
|
|
|
- Certificates need automated issuance and renewal.
|
|
- Trust roots must be owned and rotated.
|
|
- Internal and external certificate policies differ.
|
|
- Expiry must be observable before outage.
|
|
|
|
## Solution
|
|
|
|
Automate certificate issuance, renewal, monitoring, and rotation through
|
|
approved issuers and scoped identities. Treat certificate authority
|
|
material as platform-root secret material.
|
|
|
|
## Verification
|
|
|
|
- Certificates renew before expiry.
|
|
- Issuers and trust roots are documented and protected.
|
|
- Expiry monitoring alerts before service impact.
|
|
- mTLS or internal TLS policies are tested where required.
|
|
|
|
## Related Patterns
|
|
|
|
- Workload Identity.
|
|
- Secret Zero Avoidance.
|
|
- Secure Cluster Baseline.
|
|
- Network Default Deny.
|