Hello! I’m currently evaluating the use of linkerd in our EKS cluster. I stepped through a replay of your excellent workshop “Linkerd Certificate Management Deep Dive” and think I have a handle on our cert management strategy. However, I have some questions about the security and operational implica…

Hi @ltamm ! These are excellent questions. :slight_smile: The broad concern with long-lived certificates is that the longer they’re in use, the more opportunity an evildoer has to steal them. (This is often expressed as the axiom that the longer a key is in use, the more valuable it becomes.) Also n…

Thank you @Flynn ! I think that all makes sense. We are planning to keep the trust anchor key away from the cluster for just that reason. Let’s say that an evildoer with access to the cluster gets hold of the identity issuer cert and private key. Would this also allow a hypothetical evildoer with a…

Have there been any recent updates relevant to this? What is the most cost-effective option that (1) doesn’t store the trust anchor secret in the EKS cluster, and (2) automatically rotates the trust anchor (or uses 10-year expiry)?

Security and operational considerations when setting intermediate CA cert expiries (cert-manager)

Linkerd General Discussion

Flynn October 12, 2023, 3:29pm 5

Yes, from the point they get the identity issuer private key…

…at least theoretically. I should probably point out that actually mounting that attack is, uh, complex. Great reason to automate quickly rotating the identity issuer!

1 Like

Topic		Replies	Views
Linkerd Certificate Management with AWS Private CA Issuer Linkerd General Discussion certificates	2	132	August 5, 2025
ERROR: failed to verify issuer credentials for 'identity.linkerd.cluster.local' with trust anchors: x509: certificate has expired or is not yet valid Linkerd General Discussion certificates	4	2118	January 22, 2024
Create a script that can automatically update the needed certifications for Linkerd once they expire Linkerd General Discussion certificates	6	588	October 20, 2023
Automatically Upgrading Linkerd Linkerd General Discussion certificates	6	485	October 29, 2023
linkerd-Identity-Issuer not refreshing certificates as expected Linkerd General Discussion proxy , configuration , mtls , certificates	5	216	January 8, 2026

Security and operational considerations when setting intermediate CA cert expiries (cert-manager)

Related topics