Code Room
System designHardsd-g241
Subject Secrets managementLevel Senior–Staff~45 minCommon in Security interviewsIndustries Technology, Software development

Question

Design a service-mesh PKI / certificate-distribution system that issues short-lived (e.g., 24-hour or shorter) mTLS certificates to ~20,000 workload instances for service-to-service authentication, where certs auto-renew before expiry, a compromised workload's cert can be invalidated quickly, and the whole fleet must keep working even if the CA has a brief outage. Issuance peaks at thousands of certs/min during deploys. Walk through the trust hierarchy, how a workload proves it deserves a cert (bootstrapping), and the trade-off between short-lived certs and traditional CRL/OCSP revocation.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.