Proposal

To properly implement mTLS, we need to have a secret store/certificate system to:

• Store root mTLS signing certificates
• provide API access to distribute certificates to new nodes
• handle re-issuing/rotating certificates as they expire

Background

Implementing mTLS requires having trusted and signed certificates as part of the communication between nodes. We need to be able to generate and use signed certificates that are trusted.

We also require these certificates to be generated dynamically so that they can be re-issued and reused by new nodes and rotated before expiry.

It would also be ideal if a signed intermediate was exposed so that users could have the option to add the root to their app so that they could tap into the mTLS trust chain, and leverage the pre-existing chain to the end app.

Options

• Hashicorp Vault

Although Vault seems to have a bunch of this functionality, it has fairly steep system requirements, which might be more than we are wanting to handle.

• Custom/Roll our own

This might be good at the start, since we have a fairly small set of requirements