Skip to main content

pki-guidance

PKI Guidance for NowConnect

This page covers CA hierarchy, certificate content (SANs), issuance, rotation sequencing, and revocation strategies for NowConnect mesh and optional agent mTLS at ingress.

CA hierarchy and trust

UseRecommended CA
Mesh /mesh mTLSPrivate enterprise CA (intermediate) dedicated to mesh
Agent mTLS (optional at ingress)Same enterprise CA or a separate profile

Avoid using public CAs for internal mesh links.

Certificate content

  • SANs must include DNS names used in ha.mesh.peers (e.g., cloud-a.example.com). Modern clients ignore CN for name checks.
  • Key usage: Digital Signature; Extended Key Usage: TLS Web Client Authentication for client, TLS Web Server Authentication for server as applicable.

Rotation sequencing (mesh)

Revocation strategy

  • Prefer short-lived certificates and rotation over CRL/OCSP complexity.
  • If revocation is required, use OCSP stapling at ingress and restrict trust to a narrow intermediate.

SAN allowlist and validation

  • Keep peer endpoints tight; avoid wildcard SANs. Monitor for unexpected SANs issued under the mesh CA.

Alerts and monitoring

  • Cert expiry alerts (see HA architecture page). Track TLS errors and reconnects as early indicators.