Quiz: TLS & PKI¶
7 questions
L0 (1 questions)¶
1. What is a certificate chain and why does order matter?
Show answer
A certificate chain links a server certificate to a trusted root CA through intermediate CAs: Root CA -> Intermediate CA -> Server Certificate. The server must send its certificate plus the intermediate(s). If the chain is incomplete (missing intermediate), clients cannot verify trust and the connection fails. Root CAs are pre-installed in client trust stores.L1 (3 questions)¶
1. A TLS certificate error says 'certificate has expired'. How do you check and fix it?
Show answer
openssl s_client -connect host:443 | openssl x509 -noout -dates. Check notAfter. Renew the cert, update the secret/configmap, reload the server. Automate with cert-manager or ACME.2. What is TLS termination and where does it typically happen?
Show answer
TLS termination is where encrypted traffic is decrypted. Typically at the load balancer or ingress controller, so backend services handle plain HTTP. Benefits: centralizes cert management, offloads crypto from app servers. Tradeoff: traffic between LB and backend is unencrypted unless you use re-encryption.3. What is the difference between the CN (Common Name) and SAN (Subject Alternative Names) fields in a certificate?
Show answer
CN is the legacy identity field (e.g., app.example.com). SAN is the modern standard supporting multiple identities (multiple domains, wildcards, IP addresses). Modern browsers and clients require SAN — some ignore CN entirely if SAN is present. Always populate SAN when issuing certificates. *Common mistake:* People still create certs with only CN and wonder why Chrome rejects them — CN-only is deprecated.L2 (2 questions)¶
1. A TLS handshake fails with 'certificate verify failed'. What do you check?
Show answer
1. Certificate expired (openssl x509 -enddate).2. Wrong CA bundle on the client.
3. CN/SAN doesn't match the hostname.
4. Intermediate cert missing from the chain.
5. Clock skew between client and server. Use: openssl s_client -connect host:443 to inspect the chain.
2. How does cert-manager automate certificate lifecycle in Kubernetes?
Show answer
cert-manager watches Certificate resources, requests certs from configured Issuers (Let's Encrypt, Vault, self-signed CA), stores them as Kubernetes Secrets, and automatically renews before expiry (default: 2/3 through the validity period). Flow: Certificate CR -> cert-manager creates Order/Challenge -> ACME validation (HTTP-01 or DNS-01) -> cert stored in Secret -> referenced by Ingress or application. ClusterIssuer works across namespaces.L3 (1 questions)¶
1. You have 200 microservices using mTLS via cert-manager. Certificates are valid for 90 days. One Monday, 40 services fail simultaneously with TLS errors. What happened and how do you prevent recurrence?