Code Room
System designHardsd-g623
Subject Pki certificate authLevel Senior–Staff~50 minCommon in Security interviewsIndustries Technology

Question

Design a certificate and PKI management system that issues, renews, and revokes TLS certificates for an internal fleet of 200k services plus external customer domains. It must support automated issuance/renewal (ACME-style) at ~10k issuances/hour, short-lived certs to minimize revocation reliance, and a compromised intermediate CA must be containable without re-trusting every leaf. Cover the CA hierarchy, automated lifecycle, the revocation strategy, and how you protect the root signing keys.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.