Code Room
System designHard
Question
Design a certificate and PKI management system that issues, renews, and revokes TLS certificates for an internal fleet of 200k services plus external customer domains. It must support automated issuance/renewal (ACME-style) at ~10k issuances/hour, short-lived certs to minimize revocation reliance, and a compromised intermediate CA must be containable without re-trusting every leaf. Cover the CA hierarchy, automated lifecycle, the revocation strategy, and how you protect the root signing keys.
What a strong answer looks like
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.