Service-to-Service Authentication and Authorization

Calendar February 22, 2026
Microservices
Intermediate
Mtls-Configuration, Workload-Identity-Management, Authorization-Policy-Design, Zero-Trust-Implementation
Mtls, Service-Mesh, Spiffe, Spire, Zero-Trust, Istio, Linkerd, Authorization
Istio, Linkerd, Spire, Kubectl

Service-to-Service Authentication and Authorization#

In a microservice architecture, services communicate over the network. Without authentication, any process that can reach a service can call it. Without authorization, any authenticated caller can do anything. Zero-trust networking assumes the internal network is hostile and requires every service-to-service call to be authenticated, authorized, and encrypted.

Mutual TLS (mTLS)#

Standard TLS has the client verify the server’s identity. Mutual TLS adds the reverse – the server also verifies the client’s identity. Both sides present certificates. This provides three things: encryption in transit, server authentication, and client authentication.

Certificate Management Deep Dive

Calendar February 21, 2026
Security
Intermediate
Pki-Design, Cert-Manager-Configuration, Vault-Pki-Engine, Certificate-Debugging
Pki, Certificates, Tls, Cert-Manager, Vault, Spiffe, Spire, X509, Certificate-Rotation
Openssl, Cert-Manager, Vault, Spire, Cfssl, Step-Ca

PKI Fundamentals#

A Public Key Infrastructure (PKI) is a hierarchy of trust. At the top sits the Root CA, a certificate authority that signs its own certificate and is explicitly trusted by all participants. Below it are Intermediate CAs, signed by the root, which handle day-to-day certificate issuance. At the bottom are leaf certificates, the actual certificates used by servers, clients, and workloads.

Root CA (self-signed, offline, 10-20 year validity)
  |
  +-- Intermediate CA (signed by root, online, 3-5 year validity)
        |
        +-- Leaf Certificate (signed by intermediate, 90 days or less)
        +-- Leaf Certificate
        +-- Leaf Certificate

Never use the root CA directly to sign leaf certificates. If the root CA’s private key is compromised, the entire PKI must be rebuilt from scratch. Keeping it offline and behind an intermediate CA limits the blast radius. If an intermediate CA is compromised, you revoke it and issue a new one from the root – leaf certificates from other intermediates remain valid.

Zero Trust Networking

Calendar February 21, 2026
Security
Intermediate
Zero-Trust-Architecture, Wireguard-Configuration, Tailscale-Acl-Management, Boundary-Session-Management
Zero-Trust, Wireguard, Tailscale, Boundary, Beyondcorp, Vpn, Mtls, Spiffe
Wireguard, Tailscale, Boundary, Istio, Linkerd, Spire

The Core Principle#

Zero trust networking operates on a simple premise: no network location is inherently trusted. Being inside the corporate network, inside a VPC, or inside a Kubernetes cluster does not grant access to anything. Every request must be authenticated, authorized, and encrypted regardless of where it originates.

This is a departure from the traditional castle-and-moat model where a VPN places you “inside” the network and everything inside is implicitly trusted. That model fails because attackers who breach the perimeter have unrestricted lateral movement. Zero trust eliminates the concept of inside versus outside.