Skip to main content

Overview

Xloud Key Manager supports two certificate workflows: storing externally issued certificates from your existing CA, and ordering certificates through a configured CA plugin for automated issuance. Both workflows produce a certificate container that can be consumed by the Load Balancer service for HTTPS termination.
Prerequisites
  • An active Xloud account with appropriate permissions
  • Access to the Xloud Dashboard (https://connect.<your-domain>) or CLI configured with credentials
  • API credentials sourced (source admin-openrc.sh)

Store an Existing Certificate

Use this workflow when you have an externally issued certificate (Let’s Encrypt, DigiCert, your enterprise CA, etc.) and want to store it in Key Manager.
1

Store the certificate secret

Store the X.509 certificate
openstack secret store \
  --name app-tls-cert \
  --secret-type certificate \
  --payload-content-type "application/pkix-cert" \
  --payload-content-encoding base64 \
  --payload "$(base64 -w 0 certificate.pem)"
2

Store the private key secret

Store the private key
openstack secret store \
  --name app-tls-key \
  --secret-type private \
  --payload-content-type "application/pkcs8" \
  --payload-content-encoding base64 \
  --payload "$(base64 -w 0 private_key.pem)"
3

Store the CA chain (recommended)

Store CA chain
openstack secret store \
  --name app-ca-chain \
  --secret-type certificate \
  --payload-content-type "application/pkix-cert" \
  --payload-content-encoding base64 \
  --payload "$(base64 -w 0 ca-chain.pem)"
4

Create a certificate container

Bundle into certificate container
openstack secret container create \
  --name app-tls-bundle \
  --type certificate \
  --secret "certificate=<cert-href>" \
  --secret "private_key=<key-href>" \
  --secret "intermediates=<ca-chain-href>"
Container is ready to reference in Load Balancer HTTPS listener configuration.

Order a Certificate

Certificate orders automate issuance through a Certificate Authority plugin configured by your administrator.
Create a certificate order
openstack secret order create certificate \
  --name app-cert-order \
  --algorithm rsa \
  --bit-length 2048 \
  --subject-dn "CN=app.example.com,O=Example Corp,C=US"
Check order status
openstack secret order show <order-href>
When the order status reaches ACTIVE, retrieve the issued certificate container:
Get the issued certificate container
openstack secret order show <order-href> -c container_ref
Certificate order availability depends on your platform’s CA plugin configuration. Contact your administrator to verify which CA backends are enabled.

Certificate Lifecycle Management

StageActionNotes
IssuanceStore or order via CA pluginCreates certificate + key secrets
DeploymentCreate container, reference in Load BalancerBundles cert + key + chain
MonitoringTrack expiration date externallyKey Manager sends no alerts
RenewalStore new certificate, update containerUpdate Load Balancer reference
RevocationDelete old secrets after transitionUpdate all service references first
Set calendar reminders at 60 days, 30 days, and 7 days before certificate expiration. Renew the certificate and update the Load Balancer listener reference at least 14 days before expiry to allow for propagation and testing.

Verify a Certificate

Retrieve certificate and check expiry
openstack secret get <cert-href> --payload | \
  openssl x509 -noout -dates -subject
Verify certificate matches private key
openstack secret get <cert-href> --payload > /tmp/cert.pem
openstack secret get <key-href> --payload > /tmp/key.pem
diff <(openssl x509 -noout -modulus -in /tmp/cert.pem | md5sum) \
     <(openssl rsa -noout -modulus -in /tmp/key.pem | md5sum)
If both md5sum values match, the certificate and private key are a valid pair.

Next Steps

Containers

Bundle certificates into containers for Load Balancer use

ACL

Control which users and services can access certificate secrets

Store Secrets

Store other secret types alongside certificates

Troubleshooting

Resolve certificate container and order issues