Section 8 of 1942% complete
Section 8: Certificate Management
TLS Strategy
All communications encrypted with TLS. Different certificate sources for different tiers.
| Tier | Certificate Source | Rotation |
|---|---|---|
| Public endpoints | Cloudflare (edge) | Automatic |
| Control plane internal | cert-manager + Let's Encrypt | 90 days auto-renew |
| Agent mTLS | Internal CA (planned) | 24-48 hours |
| Database connections | Self-signed (internal only) | Annual |
Agent Certificate Lifecycle
- 1. Agent enrolls with one-time bootstrap token
- 2. Control plane issues short-lived certificate (24-48h)
- 3. Agent auto-renews before expiry
- 4. Revocation via CRL or real-time check
Key Storage
Private keys never leave their origin. Agent keys generated on-device, control plane keys in
Kubernetes secrets.