Question
Design a service-mesh PKI / certificate-distribution system that issues short-lived (e.g., 24-hour or shorter) mTLS certificates to ~20,000 workload instances for service-to-service authentication, where certs auto-renew before expiry, a compromised workload's cert can be invalidated quickly, and the whole fleet must keep working even if the CA has a brief outage. Issuance peaks at thousands of certs/min during deploys. Walk through the trust hierarchy, how a workload proves it deserves a cert (bootstrapping), and the trade-off between short-lived certs and traditional CRL/OCSP revocation.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.