How do you implement mTLS (mutual TLS) in a microservices architecture?

mTLS requires both client and server to present certificates. Implementation: Certificate Authority (internal CA or Vault), automatic certificate rotation (short-lived certs), service mesh handling (Istio, Linkerd automate mTLS), trust chain management. Challenges: certificate provisioning at scale, rotation without downtime, debugging encrypted traffic. Benefits: strong service identity, encrypted communication, no shared secrets. Combine with SPIFFE/SPIRE for workload identity. Monitor certificate expiry and revocation (CRL/OCSP).