The Charm Store will undergo scheduled database maintenance on July 5, 2026 22:00 to July 6, 02:00 UTC. During this time, you may be unable to access charm and bundle metadata or publish updates. No user action is required and services will automatically resume once maintenance is complete.

Manual TLS Certificates

Platform:

Ubuntu
24.04 22.04
Channel Revision Published Runs on
latest/stable 108 04 Jul 2024
Ubuntu 22.04
latest/edge 187 16 Apr 2025
Ubuntu 22.04
latest/edge 186 16 Apr 2025
Ubuntu 22.04
1/stable 225 17 Sep 2025
Ubuntu 24.04
1/stable 224 17 Sep 2025
Ubuntu 24.04
1/candidate 225 17 Sep 2025
Ubuntu 24.04
1/candidate 224 17 Sep 2025
Ubuntu 24.04
1/beta 281 10 Dec 2025
Ubuntu 24.04
1/beta 280 10 Dec 2025
Ubuntu 24.04
1/edge 452 03 Jul 2026
Ubuntu 24.04
1/edge 451 03 Jul 2026
Ubuntu 24.04
juju deploy manual-tls-certificates

Getting Started

In this tutorial, we will use the Manual TLS Certificates charm to provide certificates to a requiring charm using the TLS Certificates Requirer Operator as our TLS certificates requirer.

1. Install pre-requisites

Install MicroK8s:

sudo snap install microk8s

Enable the hostpath-storage MicroK8s add-on:

microk8s enable hostpath-storage

Install Juju:

sudo snap install juju

2. Bootstrap a Juju controller

Bootstrap a Juju controller:

juju bootstrap microk8s

Create a Juju model:

juju add-model demo

3. Deploy Manual TLS Certificates

juju deploy manual-tls-certificates

4. Deploy tls-certificates-requirer

juju deploy tls-certificates-requirer

5. Integrate the two charms

Integrate the charms with their tls-certificates interface:

juju integrate manual-tls-certificates tls-certificates-requirer

Wait for both charms to be in the active/idle status.

ubuntu@server:~$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
dev    microk8s-localhost  microk8s/localhost  3.4.0    unsupported  15:31:05-05:00

App                        Version  Status  Scale  Charm                      Channel  Rev  Address         Exposed  Message
manual-tls-certificates             active      1  manual-tls-certificates               0  10.152.183.58   no       1 outstanding requests, use juju actions to provide certificates
tls-certificates-requirer           active      1  tls-certificates-requirer  edge      45  10.152.183.241  no       Certificate request is sent

Unit                          Workload  Agent  Address      Ports  Message
manual-tls-certificates/0*    active    idle   10.1.182.25         1 outstanding requests, use juju actions to provide certificates
tls-certificates-requirer/0*  active    idle   10.1.182.40         Certificate request is sent

6. Generate a CA key and certificate with OpenSSL

Create a certs directory

mkdir certs

Generate a Private Key

openssl genrsa -out certs/ca.key 2048

Generate a CA certificate

openssl req -new -x509 -days 3650 -key certs/ca.key -out certs/ca.crt -subj "/C=US/CN=pizza.com"

7. Retrieve the CSR

Retrieve the Certificate Signing Request (CSR) made by the TLS Certificates requirer and passed to the Manual TLS Certificates:

juju run manual-tls-certificates/leader get-outstanding-certificate-requests --format=json | yq '.manual-tls-certificates/0.results.result' | yq '.[0].csr' > certs/client.csr

8. Sign the certificate

Sign the certificate and provide it to Manual TLS Certificates:

openssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/client.crt -days 365 -sha256

Provide the certificate to Manual TLS Certificates:

juju run manual-tls-certificates/leader provide-certificate \
  certificate="$(base64 -w0 certs/client.crt)" \
  ca-certificate="$(base64 -w0 certs/ca.crt)" \
  certificate-signing-request="$(base64 -w0 certs/client.csr)"

9. Validate that the certificate was provided correctly

ubuntu@server:~$ juju run tls-certificates-requirer/leader get-certificate
Running operation 81 with 1 task
  - task 82 on unit-tls-certificates-requirer-0

Waiting for task 82...
ca-certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIDIzCCAgugAwIBAgIUMdmiAJ3GwQSNFlyv6WV/+dfHLucwDQYJKoZIhvcNAQEL
  BQAwITELMAkGA1UEBhMCVVMxEjAQBgNVBAMMCXBpenphLmNvbTAeFw0yNDAyMjYy
  MDM3MDlaFw0zNDAyMjMyMDM3MDlaMCExCzAJBgNVBAYTAlVTMRIwEAYDVQQDDAlw
  aXp6YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQYdSsh37c
  t7Dtgbh1jd0Y6VZIlmt5/3lOGJ4vA123tTpf+ll99Dz8KS3E/H/T5WvC4N/n41+l
  ZET+SfNr+VcJ6GopjhD/nYjgQL3CuTsFfo40ZZGJXGG2HTZpK9rZ1r6mSK3lmwTj
  KtnAE0uwYIErNwJuIXj2d7AyhmqaBGfxU7VrPow3ZT12VxBDxjmIKxNnO1nFOdEX
  KoJ6ZyhH4yxZyT9zazqV9e06M1hfOThdXXTXEz5gxnR9IjpgCV8FUsNwBdULqrvi
  V2J6sr/WonuFdtHXHiMY3sb8PX2t9ZFDHHCpwX0/TWkqD35uZzPCUbMfm4Hgi8Rj
  STa+pggodl4tAgMBAAGjUzBRMB0GA1UdDgQWBBT0hOA9rop0hXmcp3YN7B3WJ/kF
  nDAfBgNVHSMEGDAWgBT0hOA9rop0hXmcp3YN7B3WJ/kFnDAPBgNVHRMBAf8EBTAD
  AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAugqNHcRftTth+KjLFjpuPRJu/6LR0A/ix
  Xh6ZZ1lmeddt7rESb0xxQJFd1VA7ySYDJBNFgoWbCBwqgGyBOL0DqtyZdj22EdBh
  XPGMQxDFnBnU1ZvjmWkmdKYhBOu9vUmcchrWn7xudya7/q3K76ScDnIwucdzCgwh
  CRZtAzh3wQRfsOMnbPbAQU7KNCH3bWANERGWoMgA/a3y1Yw4m+YTNxfpQNP1sRP5
  yQtT3Vgh/oj9JyO88fFpzLoVpq8rJxyzdwSCgoVg/w6zz4ckDXD/hE9rdaL9eAaK
  sbEgEBQMx3JYDJzgqdQRYAjxT3Us4bPjr9GC+63RFO/+IAD5it4G
  -----END CERTIFICATE-----
certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIDATCCAekCFD49IljmLaHZuZyoP1UgRd62IU2NMA0GCSqGSIb3DQEBCwUAMCEx
  CzAJBgNVBAYTAlVTMRIwEAYDVQQDDAlwaXp6YS5jb20wHhcNMjQwMjI2MjEwMjQz
  WhcNMjUwMjI1MjEwMjQzWjBZMSgwJgYDVQQDDB90bHMtY2VydGlmaWNhdGVzLXJl
  cXVpcmVyLTAuZGV2MS0wKwYDVQQtDCRhNDk2ZWQxZS1mMTk3LTRmYTctYmMzNC1m
  MTlhNDYzNjM4ZmIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr7e+m
  tgBCApKlMzumZ3you2nrtby45VWZpaDbdzxWl5HT9++xUBvS5CMXv5LrRa0hF/kK
  /Z3e7HSKD9VbCrLTGzannwAVhDjNEQzSXxKIBgk10zEylKvCkgmUvea15qSALYZm
  rISixRkSWeUTS2e348110XxfX2gGXa5n9vhBNhUcElT0Sf5/RpzJblEhD6qVMFVi
  6wx1tq7scwI2CY0DPGHMW8+XOrmuCArB/7AtosZRKFkq7psUriUMpyS56rslN+hU
  HKm2Ho/VJARPCtLq97QacS7u2i/zoUn3uzB9Xvk7CLVKETjf6pMlIGN+NabIGWMY
  Jf5Dx+2kDwgxduzVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFu56JcROdmKFCqF
  xO1u9A6fTraKs3yovvSLIoqppmLMehEYgRw7yEe9IF+OgzUnIcd6CWJ12DDSW7WY
  AyJmxIEXPuxumjOvB9PrwSWInc6td3mrfitAVKpJOK4angOuaoQcR76jghAUP+mT
  Lcq9fXp4YGvCqH9hrTEnLoVeuN/ikl6yTjDt5CNnYegECpVG7vGG0/KITRkxJEHw
  vmWgGBcY7ny0tWNwyLUtyEUNdIKIiWQFecQJEEMY/WdB75CLS7xay4JOcpEvIxCe
  KDGc6aPHy9NWTS9/ofWcV0ysjA7HoaR62KK9v604x96YrFStPierbcxeIIsgWWXb
  rhjq+FU=
  -----END CERTIFICATE-----
csr: |-
  -----BEGIN CERTIFICATE REQUEST-----
  MIICnjCCAYYCAQAwWTEoMCYGA1UEAwwfdGxzLWNlcnRpZmljYXRlcy1yZXF1aXJl
  ci0wLmRldjEtMCsGA1UELQwkYTQ5NmVkMWUtZjE5Ny00ZmE3LWJjMzQtZjE5YTQ2
  MzYzOGZiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq+3vprYAQgKS
  pTM7pmd8qLtp67W8uOVVmaWg23c8VpeR0/fvsVAb0uQjF7+S60WtIRf5Cv2d3ux0
  ig/VWwqy0xs2p58AFYQ4zREM0l8SiAYJNdMxMpSrwpIJlL3mteakgC2GZqyEosUZ
  ElnlE0tnt+PNddF8X19oBl2uZ/b4QTYVHBJU9En+f0acyW5RIQ+qlTBVYusMdbau
  7HMCNgmNAzxhzFvPlzq5rggKwf+wLaLGUShZKu6bFK4lDKckueq7JTfoVBypth6P
  1SQETwrS6ve0GnEu7tov86FJ97swfV75Owi1ShE43+qTJSBjfjWmyBljGCX+Q8ft
  pA8IMXbs1QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAJQaBeqpMRQgJWXhH4FI
  t5ByNPKyzQ1ttlRLKmRBgbwfCqfBxX6oAZkQXibGskbZpR/KVZC+jfJLwhkQxY+f
  eQmc2X40nzQk/2QrAywLcpk//yOp8NizrYV4Vc+gO2KI2H5+IYTbPlH1mbZWQFHH
  nvYfK553FDL7Mx3WL4iqQGisyYYN4aEBqMFJaCc/h/Ar6ZHH+Tgx4EoZ5luNG/hL
  DJkXeuKeopt6oNp2n8ROvcy+vTcMWBXemV+yJ0YUnLoreyiUUnX1BT/1Aa6jQ4za
  Dyyr9EZXDO99JPsT5fPETOSP50STQLritqrdO9TtSSSDhRLve7n5J5HNQQBW7VKw
  tXI=
  -----END CERTIFICATE REQUEST-----