You are browsing documentation for an outdated version. See the
latest documentation here.
Certificate Authority rotation
Kong Mesh lets you provide secure communication between applications with mTLS. You can change the mTLS backend with
Certificate Authority rotation, to support a scenario such as migrating from the builtin CA to a Vault CA.
You can define many backends in the
mtls section of the Mesh configuration. The data plane proxy is configured to support
certificates signed by the CA of each defined backend. However, the proxy uses only one certificate, specified by the
tag. For example:
Start with mTLS enabled and a
builtin backend named
Then, follow the steps to rotate certificates to a new
provided backend named
Each step can take some time, but Kong Mesh provides validators to prevent you from
continuing too soon.