Skip to content

Portal | Level: L2: Operations | Topics: TLS & PKI | Domain: Security

TLS & PKI - Skill Check

Mental model (bottom-up)

TLS encrypts traffic using certificates signed by a certificate authority (CA). cert-manager automates the lifecycle: issue, renew, rotate. Certificate expiry is a top cause of production outages.

Visual stack

[Root CA          ]  self-signed, in trust stores
|
[Intermediate CA  ]  signed by Root, signs server certs
|
[Server Cert      ]  presented to clients (has DNS names in SAN)
|
[TLS Handshake    ]  client verifies chain -> negotiate session key -> encrypted

Glossary

  • CA - Certificate Authority; signs certificates
  • SAN - Subject Alternative Names; DNS names/IPs the cert is valid for
  • cert-manager - K8s controller for automated certificate lifecycle
  • ACME - protocol for automated cert issuance (Let's Encrypt)
  • HTTP-01 - ACME challenge: prove domain ownership via HTTP endpoint
  • DNS-01 - ACME challenge: prove domain ownership via DNS TXT record
  • mTLS - mutual TLS; both client and server present certificates

Core questions (easy -> hard)

  • How does TLS work?
  • Server presents cert. Client verifies chain. Key exchange. Encrypted session.
  • What is cert-manager?
  • Automates cert issuance, storage in K8s Secrets, and renewal before expiry.
  • CN vs SAN?
  • CN is legacy. SAN is modern (supports multiple domains/IPs). Always use SAN.
  • HTTP-01 vs DNS-01?
  • HTTP-01: needs port 80. DNS-01: works for wildcards, no inbound needed.
  • How do you debug "certificate has expired"?
  • Check cert dates, cert-manager Certificate status, issuer config, renewal logs.
  • How do you rotate certs without downtime?
  • cert-manager renews before expiry, updates Secret. Rolling restart pods.

Wiki Navigation

Prerequisites

Related Content