Code Room
On-callMediumoc-g502
Subject Mtls failureLevel Mid–Senior~30 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

Internal service B presents a client cert to service A over mTLS. At 10:00, after B's cert was reissued by a new internal sub-CA overnight, A starts rejecting B's handshakes with 'unable to verify the first certificate' / 'certificate signed by unknown authority' — but only A→B; B's calls to other services that trust the new sub-CA's root succeed. Dashboards: B's new leaf is valid and unexpired; A's trust store contains the ROOT CA. No clock issues. How do you triage and mitigate?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.