- Maintain a list of revoked node certificates/IDs - Host an OCSP responder and serve CA certs/trust anchor - Serve CA certs as `.pem` - Configure with rustls
