TLS Certificates Interface
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/edge | 175 | 19 Sep 2025 | |
| latest/edge | 19 | 10 Feb 2023 |
juju deploy tls-certificates-interface --channel edge
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
Security
The TLS Certificates Interface and library are developed with Security as one of their core values. This document outlines the key security features of the interface and library.
If you discover a security issue, see the TLS Certificates Interface security policy for information on how to report the issue.
Private Key management
In X.509 certificate workflows, the private key is highly sensitive and must remain confidential. As outlined in TLS Certificates Interface Explanation, the private key never leaves the charm that requires the TLS certificate.
Encryption at Rest
The TLS Certificates library stores the private key in a Juju secret that can only be read by the charm requiring the TLS certificates or a Juju administrator.
For information on how you can manage Juju secret backends, see How to manage secret backends.
Key Generation Algorithm
The TLS Certificates library generates private keys using the RSA algorithm.
Key rotation
Charm authors can rotate the private key by calling the regenerate_private_key method which will generate a new private key, remove old certificate requests, and send new ones to the TLS provider.