SSL/TLS Configuration

Let's Encrypt via cert-manager (Kubernetes) or Certbot (standalone) automates certificate issuance and renewal. Certificates renew 30 days before expiry — no more 'the cert expired on Friday night' incidents. For domains behind Cloudflare or AWS, we use DNS-01 challenges for wildcard certificates. Certificate inventory tracks every cert, its expiry, and which services use it.

TLS 1.3 preferred, TLS 1.2 minimum — TLS 1.0 and 1.1 get disabled. Cipher suites use AEAD ciphers (ChaCha20-Poly1305, AES-GCM) with ECDHE key exchange. RSA key exchange and CBC-mode ciphers get removed. HSTS headers with includeSubdomains and preload list submission prevent downgrade attacks. The configuration targets an A+ rating on SSL Labs while maintaining compatibility with modern clients.

Internal services get TLS certificates from a private CA — Vault PKI backend, cert-manager with a CA issuer, or step-ca. Short-lived certificates (24-72 hours) eliminate the need for revocation infrastructure. Automatic rotation via sidecar injection or init containers means services always have valid certs without manual intervention. Internal traffic is encrypted without exposing internal hostnames to public CAs.

Certificate Transparency log monitoring (via crt.sh or dedicated tools) alerts on unexpected certificate issuance for your domains — catching mis-issuance or compromise. Prometheus exporters track certificate expiry across all endpoints. Dashboards show days-until-expiry for every certificate in your infrastructure. Alerts fire at 30, 14, and 7 days before expiry as a safety net behind automation.