Certificate-Based Authentication

We design a PKI hierarchy appropriate to your scale: a root CA stored offline (or in a cloud HSM), intermediate CAs for different environments, and leaf certificates for services and devices. Certificate policies define key sizes, validity periods, and allowed key usages. The root CA signs intermediates, intermediates sign leaf certificates, and trust is established through the chain. Revocation is handled through CRL distribution points or OCSP responders.

Manual certificate management is a reliability and security risk. We automate the full lifecycle: cert-manager in Kubernetes issues and renews certificates automatically, Vault PKI engine generates short-lived certificates on demand, and ACME protocol handles public TLS certificates. Certificates renew 30 days before expiry. Expiry monitoring alerts fire if any certificate in the estate is within 14 days of expiry without a pending renewal.

Services authenticate to each other using certificates instead of API keys or tokens. Each service gets a unique certificate from the internal CA with the service name in the SAN field. mTLS connections verify both sides. Certificate-based authentication eliminates credential theft risk — there is no password to steal, no token to leak. Compromised certificates are revoked through CRL updates that propagate within minutes.

For high-security environments, users authenticate with client certificates provisioned to their devices during enrollment. The certificate binds the user identity to the device identity. We configure certificate-based authentication alongside SSO: the initial authentication uses both the user's IdP credentials and the device certificate. This provides hardware-bound authentication that is immune to credential phishing.