Skip to content

Tls Pki

← Back to all decks

10 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard

🟢 Easy (3)

1. What is a certificate chain and what are its three levels?

Show answer Root CA (self-signed, in trust store) signs an Intermediate CA, which signs the Server Certificate. The client verifies the chain upward to a trusted root.

2. What is a SAN (Subject Alternative Name) and why is it preferred over CN?

Show answer SAN lists additional identities (domains, IPs) a certificate is valid for. Modern browsers require SAN; CN alone causes NET::ERR_CERT_COMMON_NAME_INVALID errors.

3. How do you check a remote server's certificate expiry date from the command line?

Show answer echo | openssl s_client -connect app.example.com:443 -servername app.example.com 2>/dev/null | openssl x509 -noout -dates

🟡 Medium (4)

1. How does cert-manager automate TLS in Kubernetes?

Show answer cert-manager watches Certificate custom resources, requests certificates from a configured Issuer (Let's Encrypt, internal CA, etc.), stores them in Kubernetes Secrets, and auto-renews before expiry using the renewBefore field.

2. What is the role of a CSR (Certificate Signing Request) in certificate issuance?

Show answer A CSR contains the public key and identity information (CN, SAN) and is sent to a CA for signing. The CA validates the request and returns a signed certificate. The private key never leaves the requestor.

3. What is mTLS and when is it used?

Show answer Mutual TLS requires both client and server to present certificates for authentication. It is used for service-to-service communication where both sides must prove identity, common in service meshes and internal APIs.

4. What is the correct sequence for manual certificate rotation in Kubernetes?

Show answer 1) Generate new certificate, 2) Update the K8s Secret, 3) Trigger rollout restart of pods using the cert, 4) Verify new cert is served, 5) Revoke the old certificate.

🔴 Hard (3)

1. What are HTTP-01 and DNS-01 ACME challenge types, and when would you use each?

Show answer HTTP-01 proves domain ownership by serving a token on port 80 — simple but requires public HTTP access. DNS-01 proves ownership via a DNS TXT record — works for wildcard certs and when port 80 is not accessible, but requires DNS API access.

2. What does the error "x509: certificate signed by unknown authority" mean and how do you fix it?

Show answer The client does not trust the CA that signed the server certificate. Fix by adding the CA certificate to the client's trust store, or by using a well-known public CA. In Kubernetes, this often means distributing the internal CA cert to all consuming pods.

3. What is the difference between an Issuer and a ClusterIssuer in cert-manager?

Show answer An Issuer is namespace-scoped and can only issue certificates within its namespace. A ClusterIssuer is cluster-scoped and can issue certificates for any namespace, making it suitable for shared infrastructure like a single Let's Encrypt or internal CA configuration.