Code Room
On-callMedium
Question
Internal service B presents a client cert to service A over mTLS. At 10:00, after B's cert was reissued by a new internal sub-CA overnight, A starts rejecting B's handshakes with 'unable to verify the first certificate' / 'certificate signed by unknown authority' — but only A→B; B's calls to other services that trust the new sub-CA's root succeed. Dashboards: B's new leaf is valid and unexpired; A's trust store contains the ROOT CA. No clock issues. How do you triage and mitigate?
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.